- Over 43,000 dormant spam packages flooded npm in a coordinated two-year campaign
- Some packages contained worm-like scripts that auto-generated and published new entries
- Attackers may have faked TEA impact scores to earn decentralized developer rewards
Roughly 1% of the entire npm ecosystem now consists of bogus, dormant packages that were uploaded as part of a years-long targeted – and potentially malicious – campaign, experts have claimed.
Cybersecurity researchers Endor Labs discovered more than 43,000 spam packages which took almost two years to upload in a coordinated effort that took at least 11 distinct user accounts to pull off.
“The packages were systematically published over an extended period, flooding the npm registry with junk packages that survived in the ecosystem for almost two years,” the researchers said.
TEA token harvesting?
The researchers dubbed the campaign IndonesianFoods because of the way the packages are named. The malicious script used for naming contains two internal dictionaries, one with Indonesian names, and other with Indonesian food terms. When the script runs, it selects two terms at random, adds a number, and appends a suffix.
The strange part is that the packages themselves are not malicious. They’re not designed to steal sensitive developer data, or to act as a backdoor. Instead, they just lie there, dormant, gathering downloads.
Some packages have thousands of weekly downloads, the researchers explain, hinting that it gives the attacker a potential edge: “This leaves an opportunity for the attackers to push a malicious commit in the future that would affect all those downloads.”
Some of the packages did contain a worm-like script which, if run, would generate and create additional scripts which would then be added to npm.
Besides malicious potential, the researchers also believe this could be a part of a financially motivated campaign. Apparently, some of the packages included tea.yaml files, listing TEA accounts. Tea is a decentralized framework protocol in which open source devs are rewarded when contributing software.
This could mean that the attackers tried to fake their impact scores, thus earning more TEA tokens.
Via The Hacker News
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
