NPM’s Spicy Crisis: IndonesianFoods Worm Attack Heats Up Package Chaos!

Security researchers have unearthed the “IndonesianFoods” attack on the npm ecosystem, spreading spam packages with worm-like techniques. In a maneuver that would make any self-respecting worm envious, this campaign generates over 17,000 packages a day, leaving developers with more headaches than a caffeine-free Monday morning.

3P
Published: November 13, 2025 3:17 pmAdded: November 13, 2025 at 7:33 amAssembled by: The Editor
Pro Dashboard

Hot Take:

Looks like the npm ecosystem is the new hot spot for culinary-inspired attacks! The “IndonesianFoods” campaign is serving up a spicy dish of spam packages with a side of chaos. Is it a cybersecurity buffet or just another wormy ordeal? Either way, developers are going to need a bigger plate!

Key Points:

  • The “IndonesianFoods” campaign has been spamming npm with packages for over two years.
  • Attackers use scripts to make private packages public, generate random versions, and publish new spam packages.
  • Each execution can result in up to 17,000 spam packages per day.
  • The campaign aims to inflate “impact scores” for Tea token rewards through spammy interlinked packages.
  • It’s the latest in a series of large-scale npm attacks, showcasing the vulnerability of the ecosystem.

Membership Required

 You must be a member to access this content.

View Membership Levels
Already a member? Log in here
The Nimble Nerd
powered by the NSA, er,  GDPR Cookie Compliance
Confessional Booth of Our Digital Sins

Okay, deep breath, let's get this over with. In the grand act of digital self-sabotage, we've littered this site with cookies. Yep, we did that. Why? So your highness can have a 'premium' experience or whatever. These traitorous cookies hide in your browser, eagerly waiting to welcome you back like a guilty dog that's just chewed your favorite shoe. And, if that's not enough, they also tattle on which parts of our sad little corner of the web you obsess over. Feels dirty, doesn't it?