Executive Summary

A large-scale, worm-like spam operation has polluted the Node.js ecosystem by publishing tens of thousands of fake npm packages over a multi-year period. The operation, dubbed “IndonesianFoods,” uses automated scripts within packages to continuously create and publish new, low-quality clones that reference one another—forming circular dependency chains. While no destructive post-install payloads have been confirmed, the campaign’s scale and automation create substantial software supply chain risk, increase registry load, degrade trust in dependency resolution, and leave open the possibility of future activation through malicious updates.

Researchers estimate 44,000+ packages are associated with the campaign, attributed to a coordinated cluster of npm accounts engaged in spam publication waves over nearly two years. The targeted platform is the public JavaScript repository npm Registry.

Key Risk Factors

• Extreme scale and automation strain registry and dependency management systems.
• Dormant replication scripts may enable future activation through updates.
• Potential financial motive tied to abuse of blockchain-based open-source reward systems (tea.yaml).

Campaign Overview and Attribution

• Campaign identity: Consistently tracked as IndonesianFoods or IndonesianFoods npm worm campaign.
• Actor infrastructure: At least 11 npm accounts linked through similar code templates and naming conventions.
• Motivation: Likely financial, exploiting the TEA protocol open-source reward mechanisms. No confirmed nation-state or APT ties.
• Naming pattern: Combines Indonesian personal names with food-related terms and numeric suffixes—useful for detection and clustering.
• Confidence: Moderate. The campaign’s operational consistency indicates a single coordinated effort, though specific actor identity remains unknown.

Scope and Tempo

• Volume: Estimated 44,000–67,000 fake npm packages.
• Duration: ~2 years of sustained activity prior to exposure.
• Publication rate: Scripts produced continuous, high-speed publishing cycles capable of overwhelming registry indexing systems.
• Distribution: Packages inter-referenced one another to create recursive dependency loops, amplifying impact.

Technical Mechanisms

• Package template: Minimal functionality; includes dormant JavaScript scripts (auto.js, publishScript.js) and blockchain metadata files (tea.yaml).
• Self-replication logic: When manually executed, scripts:
  1. Remove “private”: true from package.json.
  2. Randomize package name/version.
  3. Re-publish using valid npm credentials.
  4. Loop indefinitely—worm-like propagation.
• Dependency pollution: Packages cross-reference spam dependencies, forming circular graphs that hinder automated cleanup.
• Evasion: No auto-execution; scripts remain dormant until manually triggered, evading install-time scans.

Indicators and Infrastructure

‍

Assessment: Linkages are notable but low-confidence. No proven integration between Lumma, Play, and IndonesianFoods at this stage.

Comparative Context

Similar npm ecosystem events—such as Shai Hulud and GlassWorm—demonstrate that worm-like registry abuse is an established pattern. These campaigns exploit open publication systems for spam proliferation and future payload staging.

Impact Assessment

1. Supply Chain Contamination

• High volume of junk packages undermines trust in npm as a reliable dependency source.
• Circular dependencies expand attack surfaces and complicate Software Bill of Materials (SBOM) generation.

2. Registry Strain

• Flooding increases bandwidth and moderation load on the npm Registry.
• Impacts legitimate developers via slower indexing and degraded service performance.

3. Latent Activation Risk

• Dormant scripts can easily be updated into active payloads (e.g., cryptominers, backdoors).
• Some packages observed accumulating real downloads, expanding downstream risk.

Supporting analysis: Endor Labs and Sonatype independently corroborated the spam activity and confirmed measurable ecosystem disruption.

MITRE ATT&CK Mapping

‍

Risk to Software Supply Chains

• Trust erosion: Registry flooding undermines credibility of open-source supply chains.
• Operational exposure: Dependency sprawl complicates auditing, vulnerability scanning, and remediation.
• Strategic risk: Infrastructure could support immediate activation of malicious updates at ecosystem scale.

Recommendations

For Security and Development Teams

• Govern Dependencies: Enforce allow/deny lists; prefer internal mirrors and signed registries.
• Harden CI/CD: Disable or review install-time scripts; flag unverified dependencies.
• Continuous Monitoring: Detect abnormal package naming patterns and low-quality code indicators.
• Incident Response: Maintain up-to-date SBOMs and dependency maps for rapid containment.

For Leadership and Risk Owners

• Recognize public registries as critical third-party risk vectors.
• Mandate SCA and SBOM adoption across all engineering teams.
• Incorporate registry abuse scenarios into enterprise threat modeling and tabletop exercises.

Gaps, Limitations, and Confidence

• Infrastructure Linkage: Domain leg-sate-boat.sbs shows malicious detections but lacks operational correlation to the npm worm.
• Actor Correlation: Mentions of Play ransomware are unverified.
• Confidence: Moderate—behavior is well-documented, attribution remains indeterminate.

Appendix: Notable Entities and IOCs

Conclusion

The IndonesianFoods npm worm represents a high-scale, automated registry abuse campaign that threatens the integrity of the JavaScript ecosystem. Despite lacking destructive payloads, its worm-like replication and dependency pollution expose significant supply chain risk. Furthermore, potential ties to financial incentives like TEA token exploitation illustrate how economic gamification of open-source contributions can unintentionally fuel abuse.

Defenders should prioritize dependency governance, CI/CD hardening, and anomaly detection for package behaviors and metadata. While infrastructure enrichment uncovered possible links to Lumma Stealer and Play ransomware, these remain unverified. Continued monitoring and proactive mitigation are vital to prevent future activation scenarios.

Citations

1. leg-sate-boat.sbs (VirusTotal, Shodan Search, Nov 15, 2025)
2. Malicious Packages Count – 44,000+ (Nov 15, 2025)
3. Lumma Stealer (Nov 15, 2025)
4. Play Ransomware Group (Nov 15, 2025)
5. IndonesianFoods (Nov 15, 2025)
6. IndonesianFoods npm worm campaign (Nov 15, 2025)
7. Shai Hulud (Nov 15, 2025)
8. GlassWorm (Nov 15, 2025)
9. npm Registry (Nov 15, 2025)
10. Endor Labs (Nov 15, 2025)
11. Sonatype (Nov 15, 2025)

‍

‍