Amazon researchers uncover major token farming malware scam - over 150,000 malicious packages found

News
By published

Someone has been flooding npm with wormlike packages

open source software
(Image credit: Pixabay)
  • Over 150,000 npm packages linked to a TEA token farming scheme were flagged by Amazon Inspector
  • Attackers used self-replicating spam packages to fake developer impact and earn crypto rewards
  • Researchers call it a major supply chain security event, urging stronger registry defenses and collaboration

Researchers have found tens of thousands of self-replicating, yet seemingly pointless, npm packages, which appear to be part of a large-scale fraud operation looking to earn crypto tokens for the fraudsters.

Cybersecurity researchers Endor Labs recently discovered more than 43,000 spam packages that apparently took two years, and at least 11 accounts, to upload. The packages, making up roughly 1% of the entire npm ecosystem, are not malicious in a traditional sense of the word - they’re not stealing data, providing a backdoor, or encrypting system files. They are, self-replicating when they’re downloaded and run.

Endor speculated that they could be turned malicious via an update, but also said they could be a part of a financially motivated campaign, since some of the packages included tea.yaml files, listing TEA accounts.

Confirming the suspicions

Tea is a decentralized framework protocol in which open source devs are rewarded when contributing software, meaning the attackers may have tried to fake their impact scores, thus earning more TEA tokens.

Now, Amazon’s researchers have seemingly confirmed these suspicions. In a new report, the company said its Amazon Inspector (a security assessment service from AWS) was recently updated with a new detection rule, which flagged more than 150,000 packages linked to the tea.xyz token farming campaign - three times the size of the initial report.

It took Amazon roughly a week to go from updating the detection rules, to discovering 150,000 packages, to validating the results with OpenSSF.

“This is one of the largest package flooding incidents in open source registry history, and represents a defining moment in supply chain security,” Amazon explained.

“This incident demonstrates both the evolving nature of threats where financial incentives drive registry pollution at unprecedented scale, and the critical importance of industry-community collaboration in defending the software supply chain.”

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.