Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact

IndonesianFoods self-replicating npm spam campaign

Campaign
First reported
Last updated
Happening score
H score 12
2 unique sources, 2 articles

Summary

Hide ▲

The IndonesianFoods campaign has published 46,484 fake npm packages since early 2024, flooding the npm registry and creating supply-chain risk for developers. The packages masquerade as Next.js projects and hide a dormant JavaScript worm that only runs when someone manually executes files like node auto.js. Once triggered, the script repeatedly changes `package.json` and runs npm publish in an infinite loop, pushing a new package every 7 to 10 seconds. The operation appears designed to monetize TEA tokens by inflating impact scores, and GitHub has removed the packages.

Related Happenings

Npm v12 default-blocks install scripts, Git dependencies, and remote URLs

Security Tool/Service
H score11 First: 12.06.2026 16:00 Last: 12.06.2026 16:00 Sources 1

About this happening: GitHub announced **npm v12** with **default-blocking install scripts, Git dependencies, and remote URLs**, shifting package installation to **explicit opt-in** and reducing **supp...

Open Happening

GitHub npm v12 hardens install-time dependency execution and source resolution

Security Tool/Service
H score11 First: 10.06.2026 22:41 Last: 10.06.2026 22:41 Sources 1

About this happening: **GitHub** is tightening **npm v12** next month by blocking automatic dependency install scripts and non-registry sources, reducing supply-chain attack paths triggered by **npm in...

Open Happening

Miasma GitHub and npm supply-chain campaign

Campaign
H score26 First: 02.06.2026 00:38 Last: 02.06.2026 00:38 Sources 1

About this happening: The **Miasma** supply-chain campaign has expanded into a new **PyPI** branch called **Hades**, with **37 malicious wheel artifacts** across **19 packages**. The compromised releas...

Latest development: 05.06.2026 21:05

A new Miasma wave is linked to 57 compromised npm packages across more than 286 malicious versions, with malicious installs abusing a 157-byte binding.gyp file for code execution during npm install and then staging additional payloads that inject persistent backdoor files into project repositories and target AI-assisted IDE workflows.

Open Happening

Packagist package.json hook supply chain attack campaign

Campaign
H score39 First: 23.05.2026 19:07 Last: 23.05.2026 19:07 Sources 1

About this happening: A **coordinated supply chain attack campaign** compromised **eight Packagist packages**, creating repeat execution risk for projects that install the affected versions. The malici...

Open Happening

Shai-Hulud worm clone activity on NPM

Malware Activity
H score69 First: 18.05.2026 12:45 Last: 18.05.2026 12:45 Sources 1

About this happening: The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...

Open Happening

Timeline

  1. 13.11.2025 06:58 2 articles · 7mo ago

    IndonesianFoods npm spam campaign disclosure

    Campaign Scope Update

    IndonesianFoods is a self-replicating npm spam campaign that has published 46,484 fake packages since early 2024, masquerading as Next.js projects and using dormant JavaScript files such as auto.js and publishScript.js to loop through package.json changes and repeated npm publish actions. The package network references other spam packages as dependencies, expands across a small set of npm accounts, and is designed to flood the npm registry, waste infrastructure resources, pollute search results, and create supply-chain risk.

    Show sources
    Open in new tab