IndonesianFoods self-replicating npm spam campaign
Campaign
Summary
Hide ▲
Show ▼
The IndonesianFoods campaign has published 46,484 fake npm packages since early 2024, flooding the npm registry and creating supply-chain risk for developers. The packages masquerade as Next.js projects and hide a dormant JavaScript worm that only runs when someone manually executes files like node auto.js. Once triggered, the script repeatedly changes `package.json` and runs npm publish in an infinite loop, pushing a new package every 7 to 10 seconds. The operation appears designed to monetize TEA tokens by inflating impact scores, and GitHub has removed the packages.
Related Happenings
Packagist package.json hook supply chain attack campaign
Campaign
First: 23.05.2026 19:07
Last: 23.05.2026 19:07
Sources 1
About this happening:
A **coordinated supply chain attack campaign** compromised **eight Packagist packages**, creating repeat execution risk for projects that install the affected versions. The malici...
Packagist package.json hook supply chain attack campaign
CampaignAbout this happening: A **coordinated supply chain attack campaign** compromised **eight Packagist packages**, creating repeat execution risk for projects that install the affected versions. The malici...
Shai-Hulud worm clone activity on NPM
Malware Activity
First: 18.05.2026 12:45
Last: 18.05.2026 12:45
Sources 1
About this happening:
The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...
Shai-Hulud worm clone activity on NPM
Malware ActivityAbout this happening: The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...
Deadcode09284814 malicious npm packages delivering Phantom Bot and infostealers
Malware Activity
First: 18.05.2026 11:57
Last: 18.05.2026 11:57
Sources 1
About this happening:
Four **npm** packages published by **deadcode09284814** were found delivering **information-stealing malware** and **Phantom Bot** DDoS capability, putting installers at risk of *...
Deadcode09284814 malicious npm packages delivering Phantom Bot and infostealers
Malware ActivityAbout this happening: Four **npm** packages published by **deadcode09284814** were found delivering **information-stealing malware** and **Phantom Bot** DDoS capability, putting installers at risk of *...
Inactive maintainer account 'atiertant' hit by network compromise
Incident
First: 15.05.2026 20:10
Last: 15.05.2026 20:10
Sources 1
About this happening:
The **inactive maintainer account 'atiertant'** for **node-ipc** was **compromised**, enabling malicious package releases that could steal credentials from downstream installation...
Inactive maintainer account 'atiertant' hit by network compromise
IncidentAbout this happening: The **inactive maintainer account 'atiertant'** for **node-ipc** was **compromised**, enabling malicious package releases that could steal credentials from downstream installation...
Shai-Hulud supply-chain campaign spreading via stolen CI/CD credentials
Campaign
First: 12.05.2026 14:29
Last: 12.05.2026 14:29
Sources 1
About this happening:
The **Shai-Hulud** **supply-chain campaign** remains active across **npm**, **PyPI**, and **Composer**, with the latest reporting tying **TeamPCP** to both a claimed **GitHub inte...
Shai-Hulud supply-chain campaign spreading via stolen CI/CD credentials
CampaignAbout this happening: The **Shai-Hulud** **supply-chain campaign** remains active across **npm**, **PyPI**, and **Composer**, with the latest reporting tying **TeamPCP** to both a claimed **GitHub inte...
Timeline
-
13.11.2025 06:58 2 articles · 6mo ago
IndonesianFoods npm spam campaign disclosure
Campaign Scope UpdateIndonesianFoods is a self-replicating npm spam campaign that has published 46,484 fake packages since early 2024, masquerading as Next.js projects and using dormant JavaScript files such as auto.js and publishScript.js to loop through package.json changes and repeated npm publish actions. The package network references other spam packages as dependencies, expands across a small set of npm accounts, and is designed to flood the npm registry, waste infrastructure resources, pollute search results, and create supply-chain risk.
Show sources
- Over 46,000 Fake npm Packages Flood Registry in Worm-Like Spam Attack — thehackernews.com — 13.11.2025 06:58
- New ‘IndonesianFoods’ worm floods npm with 100,000 packages — www.bleepingcomputer.com — 14.11.2025 00:07