A self-spreading package published on npm spams the registry by spawning new packages every every seven seconds, creating large volumes of junk.
The worm, dubbed ‘IndonesianFoods,’ due to its distinctive package naming scheme that picks random Indonesian names and food terms, has published over 100,000 packages according to Sonatype, and the number is growing exponentially.
Although the packages do not have a malicious component for developers (e.g., stealing data, backdooring hosts), this could change with an update that introduces a dangerous payload.
The level of automation and large-scale nature of the attack create the potential for broad supply-chain compromise.
Security researcher Paul McCarty, who first reported this spam campaign, created a page to track the offending npm publishers and the number of packages they have released on the platform.
Sonatype reports that the same actors performed another attempt on September 10, with a package named ‘fajar-donat9-breki.’ Although that package contained the same replication logic, it failed to spread.
“This attack has overwhelmed multiple security data systems, demonstrating unprecedented scale,” Sonatype’s principal security researcher, Garret Calpouzos, told BleepingComputer.
“Amazon Inspector is flagging these packages through OSV advisories, triggering a massive wave of vulnerability reports. Sonatype’s database alone saw 72,000 new advisories in a single day.”
The researcher commented that IndonesianFoods does not appear to focus on infiltrating developer machines, but rather to stress the ecosystem and disrupt the world’s largest software supply chain.
“The motivation is unclear, but the implications are striking,” noted Calpouzos.
... continue reading