Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

IndonesianFoods npm self-spreading worm

Malware Activity
First reported
Last updated
Happening score
H score 22
1 unique sources, 1 articles

Summary

Hide ▲

The IndonesianFoods npm worm is self-spreading by publishing new packages every seven seconds, flooding the registry and creating supply-chain risk. Sonatype says it has already pushed over 100,000 packages and the volume is still growing exponentially. The activity is also overwhelming security systems and generating 72,000 new advisories in a single day.

Related Happenings

Shai-Hulud worm clone activity on NPM

Malware Activity
First: 18.05.2026 12:45 Last: 18.05.2026 12:45 Sources 1

About this happening: The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...

Open Happening

Deadcode09284814 malicious npm packages delivering Phantom Bot and infostealers

Malware Activity
First: 18.05.2026 11:57 Last: 18.05.2026 11:57 Sources 1

About this happening: Four **npm** packages published by **deadcode09284814** were found delivering **information-stealing malware** and **Phantom Bot** DDoS capability, putting installers at risk of *...

Open Happening

Shai-Hulud supply-chain campaign spreading via stolen CI/CD credentials

Campaign
First: 12.05.2026 14:29 Last: 12.05.2026 14:29 Sources 1

About this happening: The **Shai-Hulud** **supply-chain campaign** remains active across **npm**, **PyPI**, and **Composer**, with the latest reporting tying **TeamPCP** to both a claimed **GitHub inte...

Open Happening

Mini Shai-Hulud npm supply-chain malware wave

Malware Activity
First: 12.05.2026 14:07 Last: 12.05.2026 14:07 Sources 1

About this happening: The **Sha1-Hulud** npm supply-chain campaign is a fresh **second wave** of **Shai-Hulud**-style activity that has compromised **hundreds of npm packages**. The malware runs during...

Open Happening

TeamPCP Mini Shai-Hulud npm supply-chain campaign

Campaign
First: 12.05.2026 14:07 Last: 12.05.2026 14:07 Sources 1

About this happening: The **TeamPCP**-linked **Mini Shai-Hulud** campaign is a **malicious npm supply-chain operation** that steals developer credentials and abuses trusted publishing paths to spread t...

Open Happening

Timeline

  1. 14.11.2025 00:07 2 articles · 6mo ago

    IndonesianFoods npm worm flooding the registry

    Initial Disclosure

    The IndonesianFoods npm worm is flooding the registry by spawning new packages every seven seconds with randomized Indonesian names and food terms, and Sonatype says it has published over 100,000 packages while growing exponentially. Sonatype says the activity overwhelmed multiple security data systems and generated 72,000 new advisories in a single day, while Endor Labs reports that some packages abuse the TEA Protocol through tea.yaml files and that the campaign began two years ago, with 43,000 packages added in 2023, TEA monetization implemented in 2024, and a worm-like replication loop introduced in 2025. Sonatype also reports that the same actors tried a package named 'fajar-donat9-breki' on September 10, but it failed to spread.

    Show sources
    Open in new tab