IndonesianFoods npm self-spreading worm
Malware Activity
Summary
Hide ▲
Show ▼
The IndonesianFoods npm worm is self-spreading by publishing new packages every seven seconds, flooding the registry and creating supply-chain risk. Sonatype says it has already pushed over 100,000 packages and the volume is still growing exponentially. The activity is also overwhelming security systems and generating 72,000 new advisories in a single day.
Related Happenings
Miasma GitHub and npm supply-chain campaign
Campaign
H score26
First: 02.06.2026 00:38
Last: 02.06.2026 00:38
Sources 1
About this happening:
The **Miasma** supply-chain campaign has expanded into **npm** and the **Go ecosystem**, with **malicious npm releases** affecting **LeoPlatform** and **RStreams** packages and a...
Miasma GitHub and npm supply-chain campaign
CampaignAbout this happening: The **Miasma** supply-chain campaign has expanded into **npm** and the **Go ecosystem**, with **malicious npm releases** affecting **LeoPlatform** and **RStreams** packages and a...
Latest development: 05.06.2026 21:05
A new Miasma wave is linked to 57 compromised npm packages across more than 286 malicious versions, with malicious installs abusing a 157-byte binding.gyp file for code execution during npm install and then staging additional payloads that inject persistent backdoor files into project repositories and target AI-assisted IDE workflows.
Malicious open source packages shift from typosquatting to naming-variant impersonation in developer workflows
Trend
H score39
First: 28.05.2026 18:30
Last: 28.05.2026 18:30
Sources 1
About this happening:
**Malicious open source packages** are shifting away from misspellings and toward plausible **plugin, config, SDK, and helper** names, expanding the risk of **credential theft** a...
Malicious open source packages shift from typosquatting to naming-variant impersonation in developer workflows
TrendAbout this happening: **Malicious open source packages** are shifting away from misspellings and toward plausible **plugin, config, SDK, and helper** names, expanding the risk of **credential theft** a...
Shai-Hulud worm clone activity on NPM
Malware Activity
H score69
First: 18.05.2026 12:45
Last: 18.05.2026 12:45
Sources 1
About this happening:
The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...
Shai-Hulud worm clone activity on NPM
Malware ActivityAbout this happening: The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...
Deadcode09284814 malicious npm packages delivering Phantom Bot and infostealers
Malware Activity
H score22
First: 18.05.2026 11:57
Last: 18.05.2026 11:57
Sources 1
About this happening:
Four **npm** packages published by **deadcode09284814** were found delivering **information-stealing malware** and **Phantom Bot** DDoS capability, putting installers at risk of *...
Deadcode09284814 malicious npm packages delivering Phantom Bot and infostealers
Malware ActivityAbout this happening: Four **npm** packages published by **deadcode09284814** were found delivering **information-stealing malware** and **Phantom Bot** DDoS capability, putting installers at risk of *...
Shai-Hulud supply-chain campaign spreading via stolen CI/CD credentials
Campaign
H score56
First: 12.05.2026 14:29
Last: 12.05.2026 14:29
Sources 1
About this happening:
The **Shai-Hulud** **supply-chain campaign** now includes a fresh **PyPI** wave that compromised **19 packages** across **37 malicious releases**, with popular bioinformatics tool...
Shai-Hulud supply-chain campaign spreading via stolen CI/CD credentials
CampaignAbout this happening: The **Shai-Hulud** **supply-chain campaign** now includes a fresh **PyPI** wave that compromised **19 packages** across **37 malicious releases**, with popular bioinformatics tool...
Timeline
-
14.11.2025 00:07 2 articles · 7mo ago
IndonesianFoods npm worm flooding the registry
Initial DisclosureThe IndonesianFoods npm worm is flooding the registry by spawning new packages every seven seconds with randomized Indonesian names and food terms, and Sonatype says it has published over 100,000 packages while growing exponentially. Sonatype says the activity overwhelmed multiple security data systems and generated 72,000 new advisories in a single day, while Endor Labs reports that some packages abuse the TEA Protocol through tea.yaml files and that the campaign began two years ago, with 43,000 packages added in 2023, TEA monetization implemented in 2024, and a worm-like replication loop introduced in 2025. Sonatype also reports that the same actors tried a package named 'fajar-donat9-breki' on September 10, but it failed to spread.
Show sources
- New ‘IndonesianFoods’ worm floods npm with 100,000 packages — www.bleepingcomputer.com — 14.11.2025 00:07
- New ‘IndonesianFoods’ worm floods npm with 100,000 packages — www.bleepingcomputer.com — 14.11.2025 00:07