A worm-like spam campaign flooded NPM with over 43,000 fake packages, exposing major gaps in registry security and highlighting the need for stronger safeguards.

Continue reading
Cybersecurity analysts have identified a large-scale, two-year spam operation that flooded the npm registry with tens of thousands of fake packages. Beginning in early 2024, a coordinated network of automated scripts started mass-publishing malicious yet functionally empty packages at high speed. The volume and persistence of the campaign made it one of the most disruptive registry-level incidents in recent years.
Researchers discovered that more than 43,000 bogus packages were uploaded across multiple attacker-controlled accounts. These entries remained active on the registry for almost two years without triggering standard security or cleanup mechanisms.
The packages shared a consistent structure, often mimicking legitimate Next.js project templates, which helped them blend into the ecosystem. Despite the scale, the artifacts contained no functional malware. Instead, they acted as placeholders designed to inflate the registry with noise.
The packages were not independent uploads. They were interconnected through a self-replicating publishing system built to automatically generate, link, and deploy new packages in rapid succession. This worm-like behavior is what led analysts to label the incident a “worm,” even though no conventional payload or exploit mechanism was involved.
Security researchers observed a peculiar naming convention repeated across the fake packages. This unique signature inspired the community to refer to the incident as the “IndonesianFoods” npm worm. While the names varied, the pattern was distinct enough to correlate uploads and identify them as part of the same coordinated effort.
Unlike typical supply-chain attacks involving npm package poisoning, this campaign did not aim to steal data, hijack environments, or compromise build pipelines. Its purpose was purely disruptive.
The objective was straightforward: Overwhelm the npm registry with random, auto-generated packages and pollute the ecosystem.
This large-scale noise injection raises concerns about:
Although the fake packages contained no harmful code, their scale created systemic friction for developers, maintainers, and security teams. Search results became cluttered, automated dependency monitors encountered unusually high volumes of junk data, and the registry faced an unnecessary operational load.
The incident highlights a growing trend: attackers exploiting the openness of public package registries not for compromise, but for disruption. This shift indicates the need for stronger publishing safeguards, anomaly detection, and cleanup workflows in ecosystems like npm.
The “IndonesianFoods” npm worm stands out not for technical sophistication but for sheer volume and longevity. By pushing more than 43,000 interlinked fake packages over two years, the operators exposed critical gaps in registry oversight. Strengthening automated detection, enforcing stricter publishing controls, and refining ecosystem hygiene practices will be essential to prevent similar spam-driven disruptions in the future.

148 malicious npm packages masquerading as student proxy and school Wi-Fi bypass tools. Rather than compromising developers during installation