NPM’s Spicy Spam: IndonesianFoods Worm Floods Registry with 80,000 Packages!

Security researchers are in a frenzy as tens of thousands of malicious NPM packages, dubbed the “IndonesianFoods worm,” are served up by a threat actor. These packages flood the registry with junk, masquerading as a legitimate Next.js app. The worm’s infinite loop of spamming is like a never-ending buffet of chaos!

3P
Published: November 13, 2025 1:20 pmAdded: November 13, 2025 at 5:37 amAssembled by: The Editor
Pro Dashboard

Hot Take:

***Just when you thought it was safe to download that Indonesian recipe app, a worm slithers into NPM, leaving developers with a bad taste and even worse package management nightmares.***

Key Points:

– A wormy surprise: Over 43,900 malicious NPM packages have been unleashed, all tied to Indonesian names and foods.
– Spam, not steal: Unlike normal cyber shenanigans, this campaign doesn’t steal credentials but uses the NPM ecosystem for spamming.
– Self-replication madness: The worm publishes a new package every 7 seconds, creating a never-ending spam loop.
– Disguised danger: The malware masks itself as a Next.js app to sneak past defenses.
– Future threat?: This might just be a rehearsal for future, more sinister cyber attacks.

Membership Required

 You must be a member to access this content.

View Membership Levels
Already a member? Log in here
The Nimble Nerd
powered by the NSA, er,  GDPR Cookie Compliance
Confessional Booth of Our Digital Sins

Okay, deep breath, let's get this over with. In the grand act of digital self-sabotage, we've littered this site with cookies. Yep, we did that. Why? So your highness can have a 'premium' experience or whatever. These traitorous cookies hide in your browser, eagerly waiting to welcome you back like a guilty dog that's just chewed your favorite shoe. And, if that's not enough, they also tattle on which parts of our sad little corner of the web you obsess over. Feels dirty, doesn't it?