- Over 150,000 npm packages linked to a TEA token farming scheme were flagged by Amazon Inspector
- Attackers used self-replicating spam packages to fake developer impact and earn crypto rewards
- Researchers call it a major supply chain security event, urging stronger registry defenses and collaboration
Researchers have found tens of thousands of self-replicating, yet seemingly pointless, npm packages, which appear to be part of a large-scale fraud operation looking to earn crypto tokens for the fraudsters.
Cybersecurity researchers Endor Labs recently discovered more than 43,000 spam packages that apparently took two years, and at least 11 accounts, to upload. The packages, making up roughly 1% of the entire npm ecosystem, are not malicious in a traditional sense of the word – they’re not stealing data, providing a backdoor, or encrypting system files. They are, self-replicating when they’re downloaded and run.
Endor speculated that they could be turned malicious via an update, but also said they could be a part of a financially motivated campaign, since some of the packages included tea.yaml files, listing TEA accounts.
You may like
Confirming the suspicions
Tea is a decentralized framework protocol in which open source devs are rewarded when contributing software, meaning the attackers may have tried to fake their impact scores, thus earning more TEA tokens.
Now, Amazon’s researchers have seemingly confirmed these suspicions. In a new report, the company said its Amazon Inspector (a security assessment service from AWS) was recently updated with a new detection rule, which flagged more than 150,000 packages linked to the tea.xyz token farming campaign – three times the size of the initial report.
It took Amazon roughly a week to go from updating the detection rules, to discovering 150,000 packages, to validating the results with OpenSSF.
“This is one of the largest package flooding incidents in open source registry history, and represents a defining moment in supply chain security,” Amazon explained.
“This incident demonstrates both the evolving nature of threats where financial incentives drive registry pollution at unprecedented scale, and the critical importance of industry-community collaboration in defending the software supply chain.”
The best antivirus for all budgets
Our top picks, based on real-world testing and comparisons
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
