Massive Spam Attack Floods npm Registry with Over 46,000 Fake Packages
In a significant cybersecurity incident, researchers have identified a large-scale spam campaign that has inundated the npm registry with over 46,000 counterfeit packages since early 2024. This operation, dubbed IndonesianFoods due to its use of Indonesian names and culinary terms, appears to be financially motivated and has persisted for nearly two years.
The campaign’s primary objective is to overwhelm the npm registry with a vast number of spurious packages, rather than engaging in data theft or deploying malicious payloads. This strategy not only clutters the registry but also poses potential risks to developers who might inadvertently incorporate these packages into their projects.
Mechanism of the Attack
Each of these fake packages contains a JavaScript file, typically named auto.js or publishScript.js. This script remains dormant until manually executed by a user, a design choice likely intended to evade automated security scans. Upon execution, the script initiates an infinite loop that performs the following actions:
1. Modification of Package Metadata: The script removes the private: true setting from the package.json file. This setting is usually employed to prevent the accidental publication of private repositories.
2. Generation of New Package Details: It creates a random package name using an internal dictionary and assigns a random version number. This approach helps bypass npm’s duplicate version detection mechanisms.
3. Publication to npm: The script publishes the newly generated package to the npm registry using the npm publish command. This process repeats indefinitely, resulting in the creation of a new package approximately every 7 to 10 seconds.
This relentless cycle leads to the addition of about 12 packages per minute, 720 per hour, and up to 17,000 per day, significantly burdening the npm infrastructure and polluting search results.
Potential Risks and Implications
While the immediate impact of this campaign is the saturation of the npm registry with junk packages, the broader implications are concerning:
– Resource Drain: The continuous publication of these packages consumes substantial infrastructure resources, potentially affecting the performance and reliability of the npm registry.
– Supply Chain Risks: Developers might inadvertently install these counterfeit packages, leading to potential security vulnerabilities in their applications.
– Evasion of Detection: The manual execution requirement of the malicious script is a deliberate tactic to evade automated security tools, making detection and mitigation more challenging.
Historical Context
This incident is part of a broader trend of attacks targeting the npm ecosystem:
– February 2023: Over 15,000 spam packages were published to the npm registry, containing phishing links designed to lure users into malicious websites.
– April 2023: Attackers flooded npm with bogus packages, causing a denial-of-service (DoS) attack that disrupted the registry’s operations.
– October 2025: A campaign involving 175 malicious npm packages was identified, aiming to harvest credentials from developers.
These incidents underscore the persistent threats facing open-source ecosystems and the need for vigilant security practices.
Recommendations for Developers
To mitigate the risks associated with such attacks, developers are advised to:
– Verify Package Authenticity: Before incorporating a package into a project, thoroughly review its source, maintainers, and community feedback.
– Limit Manual Script Execution: Avoid running scripts from untrusted sources, especially those that require manual execution.
– Implement Security Tools: Utilize automated tools to scan for vulnerabilities and suspicious activities within dependencies.
– Stay Informed: Keep abreast of the latest security advisories and updates related to the npm ecosystem.
By adopting these practices, developers can enhance the security of their applications and contribute to the overall integrity of the open-source community.
