IndonesianFoods self-replicating npm spam campaign
Campaign
Summary
Hide ▲
Show ▼
The IndonesianFoods campaign has published 46,484 fake npm packages since early 2024, flooding the npm registry and creating supply-chain risk for developers. The packages masquerade as Next.js projects and hide a dormant JavaScript worm that only runs when someone manually executes files like node auto.js. Once triggered, the script repeatedly changes `package.json` and runs npm publish in an infinite loop, pushing a new package every 7 to 10 seconds. The operation appears designed to monetize TEA tokens by inflating impact scores, and GitHub has removed the packages.
Related Happenings
GitHub npm version 12 hardens installs and token management
Security Tool/Service
H score11
First: 09.07.2026 19:49
Last: 09.07.2026 19:49
Sources 1
About this happening:
**GitHub** released **npm version 12**, making install-time scripts opt-in by default and tightening **package publishing** controls to reduce **supply-chain risk**. The update al...
GitHub npm version 12 hardens installs and token management
Security Tool/ServiceAbout this happening: **GitHub** released **npm version 12**, making install-time scripts opt-in by default and tightening **package publishing** controls to reduce **supply-chain risk**. The update al...
Npm v12 default-blocks install scripts, Git dependencies, and remote URLs
Security Tool/Service
H score11
First: 12.06.2026 16:00
Last: 12.06.2026 16:00
Sources 1
About this happening:
GitHub announced **npm v12** with **default-blocking install scripts, Git dependencies, and remote URLs**, shifting package installation to **explicit opt-in** and reducing **supp...
Npm v12 default-blocks install scripts, Git dependencies, and remote URLs
Security Tool/ServiceAbout this happening: GitHub announced **npm v12** with **default-blocking install scripts, Git dependencies, and remote URLs**, shifting package installation to **explicit opt-in** and reducing **supp...
GitHub npm v12 hardens install-time dependency execution and source resolution
Security Tool/Service
H score11
First: 10.06.2026 22:41
Last: 10.06.2026 22:41
Sources 1
About this happening:
**GitHub** is tightening **npm v12** next month by blocking automatic dependency install scripts and non-registry sources, reducing supply-chain attack paths triggered by **npm in...
GitHub npm v12 hardens install-time dependency execution and source resolution
Security Tool/ServiceAbout this happening: **GitHub** is tightening **npm v12** next month by blocking automatic dependency install scripts and non-registry sources, reducing supply-chain attack paths triggered by **npm in...
Miasma GitHub and npm supply-chain campaign
Campaign
H score26
First: 02.06.2026 00:38
Last: 02.06.2026 00:38
Sources 1
About this happening:
The **Miasma** supply-chain campaign has expanded into **npm** and the **Go ecosystem**, with **malicious npm releases** affecting **LeoPlatform** and **RStreams** packages and a...
Miasma GitHub and npm supply-chain campaign
CampaignAbout this happening: The **Miasma** supply-chain campaign has expanded into **npm** and the **Go ecosystem**, with **malicious npm releases** affecting **LeoPlatform** and **RStreams** packages and a...
Latest development: 05.06.2026 21:05
A new Miasma wave is linked to 57 compromised npm packages across more than 286 malicious versions, with malicious installs abusing a 157-byte binding.gyp file for code execution during npm install and then staging additional payloads that inject persistent backdoor files into project repositories and target AI-assisted IDE workflows.
Packagist package.json hook supply chain attack campaign
Campaign
H score39
First: 23.05.2026 19:07
Last: 23.05.2026 19:07
Sources 1
About this happening:
A **coordinated supply chain attack campaign** compromised **eight Packagist packages**, creating repeat execution risk for projects that install the affected versions. The malici...
Packagist package.json hook supply chain attack campaign
CampaignAbout this happening: A **coordinated supply chain attack campaign** compromised **eight Packagist packages**, creating repeat execution risk for projects that install the affected versions. The malici...
Timeline
-
13.11.2025 06:58 2 articles · 7mo ago
IndonesianFoods npm spam campaign disclosure
Campaign Scope UpdateIndonesianFoods is a self-replicating npm spam campaign that has published 46,484 fake packages since early 2024, masquerading as Next.js projects and using dormant JavaScript files such as auto.js and publishScript.js to loop through package.json changes and repeated npm publish actions. The package network references other spam packages as dependencies, expands across a small set of npm accounts, and is designed to flood the npm registry, waste infrastructure resources, pollute search results, and create supply-chain risk.
Show sources
- Over 46,000 Fake npm Packages Flood Registry in Worm-Like Spam Attack — thehackernews.com — 13.11.2025 06:58
- New ‘IndonesianFoods’ worm floods npm with 100,000 packages — www.bleepingcomputer.com — 14.11.2025 00:07