A new self-replicating campaign is saturating the npm ecosystem with spam packages. The worm, tracked as IndonesianFoods, is publishing new packages every 7–10 seconds and has already pushed 100,000+ releases with pseudo‑random names—often themed after Indonesian cuisine. While no malicious payload has been confirmed inside the packages to date, the automation and scale create material risk for software supply chains.
Scale and automation are overloading npm and security tooling
Security researcher Paul McCarthy first spotlighted the activity and launched a public tracker of related accounts and package counts. According to Sonatype, the earliest attempts date back to September 10, 2025 (e.g., fajar-donat9-breki), but replication logic did not meaningfully propagate at that time. The current wave is unprecedented in pace and volume, “overloading multiple security systems.” For example, Amazon Inspector—surfacing issues via OSV advisories—is generating large alert volumes, and Sonatype recorded 72,000 new advisories in a single day, illustrating the alert-fatigue risk for defenders.
How the IndonesianFoods worm replicates across the registry
Researchers report the worm’s code resides in a single JavaScript file inside each package (auto.js or publishScript.js). It does not auto‑execute and avoids postinstall hooks. Activation requires a manual run, such as node auto.js. Once started, the script loops indefinitely: it removes “private”: true from package.json, generates a new name and version to evade duplicate filters, and issues an npm publish. The result is registry pollution, increased infrastructure load, and search-result contamination. If such packages are installed accidentally or pulled in as transitive dependencies, the likelihood of supply chain compromise rises.
Monetization hypothesis: exploiting TEA Protocol incentives
Endor Labs observed tea.yaml files in some packages containing credentials and wallet addresses, indicating an attempt to abuse the TEA Protocol—a blockchain platform that rewards open-source contributions with tokens. The suspected strategy is straightforward: more packages and higher measured “impact” can yield larger payouts. Analysts posit a staged evolution: in 2023, roughly 43,000 packages were seeded; in 2024, TEA-linked monetization was added; and by 2025 the self‑replication component turned IndonesianFoods into a worm. This pattern resembles a Sybil-style exploitation of incentive systems rather than classic data-theft malware.
Supply chain risk outlook and related worm activity
Although current samples show no backdoors or data exfiltration, the risk of a “hot payload swap” remains: an update or companion dependency could later deliver malicious code once defenders are desensitized by noise. Recent worms such as GlassWorm (OpenVSX and Visual Studio Code Marketplace) and Shai‑Hulud (hundreds of npm packages) reinforce a trend where low-complexity automation provides cover for more targeted attacks across open-source ecosystems.
Actionable defenses for developers and registries
Recommended controls for engineering teams
– Pin dependencies with lockfiles and restrict updates via allowlists.
– Proxy through a private registry (e.g., Verdaccio, Artifactory) and quarantine new or unverified packages.
– Enforce npm 2FA and use provenance/attestations where available.
– Default CI to –ignore-scripts and block arbitrary lifecycle hooks.
– Employ SCA and anomaly detection (e.g., Sonatype, Endor Labs, osv-scanner) to track suspicious publication patterns and dependency drift.
– Avoid wildcard and overly broad version ranges; limit caret/tilde expansion and reduce blind, registry‑wide searching.
Measures for registry operators and ecosystems
– Apply publish rate limiting, behavioral analytics, and automatic quarantine for bursty or templated package series.
– Strengthen maintainer verification and detect template-code farms for deduplication.
– Coordinate notifications across OSV and scanners to cut alert fatigue while preserving incident visibility.
IndonesianFoods underscores how high-volume “noise” can erode trust in the world’s largest JavaScript package registry and widen openings for targeted compromises. Organizations should reassess dependency hygiene, tighten publish and intake controls, and invest in anomaly detection now. Early adoption of these measures lowers the odds that the next wave of spam packages becomes the start of a genuine supply chain attack.
