Find notable cyber news and cases, enriched with sources, timelines, and signals.

IndonesianFoods npm self-spreading worm

Malware Activity
First reported
Last updated
Happening score
H score 30
1 unique sources, 1 articles

Summary

Hide ▲

The IndonesianFoods npm worm is self-spreading by publishing new packages every seven seconds, flooding the registry and creating supply-chain risk. Sonatype says it has already pushed over 100,000 packages and the volume is still growing exponentially. The activity is also overwhelming security systems and generating 72,000 new advisories in a single day.

Related Happenings

Miasma GitHub and npm supply-chain campaign

Campaign
H score26 First: 02.06.2026 00:38 Last: 02.06.2026 00:38 Sources 1

About this happening: The **Miasma** supply-chain campaign has expanded into **npm** and the **Go ecosystem**, with **malicious npm releases** affecting **LeoPlatform** and **RStreams** packages and a...

Latest development: 05.06.2026 21:05

A new Miasma wave is linked to 57 compromised npm packages across more than 286 malicious versions, with malicious installs abusing a 157-byte binding.gyp file for code execution during npm install and then staging additional payloads that inject persistent backdoor files into project repositories and target AI-assisted IDE workflows.

Malicious open source packages shift from typosquatting to naming-variant impersonation in developer workflows

Trend
H score39 First: 28.05.2026 18:30 Last: 28.05.2026 18:30 Sources 1

About this happening: **Malicious open source packages** are shifting away from misspellings and toward plausible **plugin, config, SDK, and helper** names, expanding the risk of **credential theft** a...

Shai-Hulud worm clone activity on NPM

Malware Activity
H score69 First: 18.05.2026 12:45 Last: 18.05.2026 12:45 Sources 1

About this happening: The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...

Deadcode09284814 malicious npm packages delivering Phantom Bot and infostealers

Malware Activity
H score22 First: 18.05.2026 11:57 Last: 18.05.2026 11:57 Sources 1

About this happening: Four **npm** packages published by **deadcode09284814** were found delivering **information-stealing malware** and **Phantom Bot** DDoS capability, putting installers at risk of *...

Shai-Hulud supply-chain campaign spreading via stolen CI/CD credentials

Campaign
H score56 First: 12.05.2026 14:29 Last: 12.05.2026 14:29 Sources 1

About this happening: The **Shai-Hulud** **supply-chain campaign** now includes a fresh **PyPI** wave that compromised **19 packages** across **37 malicious releases**, with popular bioinformatics tool...

Timeline

  1. 14.11.2025 00:07 2 articles · 7mo ago

    IndonesianFoods npm worm flooding the registry

    Initial Disclosure

    The IndonesianFoods npm worm is flooding the registry by spawning new packages every seven seconds with randomized Indonesian names and food terms, and Sonatype says it has published over 100,000 packages while growing exponentially. Sonatype says the activity overwhelmed multiple security data systems and generated 72,000 new advisories in a single day, while Endor Labs reports that some packages abuse the TEA Protocol through tea.yaml files and that the campaign began two years ago, with 43,000 packages added in 2023, TEA monetization implemented in 2024, and a worm-like replication loop introduced in 2025. Sonatype also reports that the same actors tried a package named 'fajar-donat9-breki' on September 10, but it failed to spread.

    Show sources