NPM’s Spam-ocalypse: How IndonesianFoods Worm is Stirring Up the Software Pot!

The IndonesianFoods spam campaign has inundated the npm registry with over 46,000 fake packages, showcasing a worm-like propagation mechanism. The campaign cleverly exploits npm’s open nature, evading detection by requiring manual script execution. While not stealing data, it strains resources and highlights vulnerabilities in security scanners.

3P
Published: November 13, 2025 5:56 amAdded: November 12, 2025 at 10:26 pmAssembled by: The Editor
Pro Dashboard

Hot Take:

In a plot twist that only the cyber world can deliver, the npm registry has become the unlikely victim of a culinary crusade. Instead of data theft, the attackers chose to unleash a buffet of bogus packages named after Indonesian delicacies. It’s like a food fight, but with code, and the dishes just keep on coming!

Key Points:

  • A spam campaign flooded the npm registry with over 46,000 fake packages.
  • The campaign is named IndonesianFoods due to its use of Indonesian names and food terms.
  • The attack uses a worm-like propagation method, with packages masquerading as Next.js projects.
  • The spam campaign is linked to a monetization strategy involving the Tea protocol.
  • GitHub has removed the malicious packages, but the attack highlights security scanner blind spots.

Membership Required

 You must be a member to access this content.

View Membership Levels
Already a member? Log in here
The Nimble Nerd
powered by the NSA, er,  GDPR Cookie Compliance
Confessional Booth of Our Digital Sins

Okay, deep breath, let's get this over with. In the grand act of digital self-sabotage, we've littered this site with cookies. Yep, we did that. Why? So your highness can have a 'premium' experience or whatever. These traitorous cookies hide in your browser, eagerly waiting to welcome you back like a guilty dog that's just chewed your favorite shoe. And, if that's not enough, they also tattle on which parts of our sad little corner of the web you obsess over. Feels dirty, doesn't it?