AI Autopsy: A New npm Campaign Spells Trouble for the Software Supply Chain

Phil Muncaster digs beneath the surface on what has been described as a “defining moment in supply chain security”

Open-source software runs the world. From Linux-based web servers to large language models (LLMs) based on PyTorch, it is near ubiquitous. Even the vast majority of commercial software contains open-source code. But the ecosystem is creaking, and threat actors are ruthlessly taking advantage. The latest campaign to surface is highly automated, worm-like and designed to fly under the radar. It could represent a sign of things to come.

AWS has described it as a “defining moment in supply chain security”. In response, decisive action is required: from both individual security teams, and the community as a whole.

A flood of spam

The npm ecosystem is one of the largest repositories of open-source packages in the world. It recorded 4.5 trillion requests for JavaScript code in 2024 alone, a 70% annual increase, according to Sonatype. But an environment this diverse can also provide cover for nefarious activity, especially if the threat actors behind it go to extra lengths to stay hidden.

First spotted by SourceCodeRed founder Paul McCarty, the ‘IndonesianFood’ campaign has already flooded npm with over 150,000 spammy packages across scores of accounts. They use a distinctive naming convention referencing dishes from the Southeast Asian country, hence the unusual moniker. But there’s much more that helps this campaign stand out from the crowd. McCarty believes it has been running covertly for over two years, partly because it doesn’t contain any malware.

How does it work? An Endor Labs analysis reveals that the campaign’s packages are disguised to appear legitimate – thanks to a normal-looking Next.js project structure, regular configuration files, legitimate dependencies, and standard documentation. The malicious part is an unreferenced script file named either “auto.js” or “publishScript.js” which must be executed manually by the user.

When this happens, it will perform three actions in an ‘infinity loop’. It removes built-in npm privacy protections, generates a random version number to bypass npm’s duplicate-version detection, and then generates a new random name for an Indonesian foodstuff. Then the cycle repeats after a few seconds, meaning a single execution could end up publishing 12 packages per minute, or 17,000 per day, according to Endor Labs.

Although this isn’t exactly the self-replicating behaviour of a typical worm, its high degree of automation achieves the same results. Additionally, the spammy packages reference each other as dependencies. This means that when a user installs one, npm automatically fetches its entire dependency tree, which could stretch to over 100 packages. This eats up bandwidth and makes clean up harder.

What’s the end goal?

Experts are divided over the motivations of the threat actors. The campaign is certainly highly coordinated and appears to have added capabilities during its two-year lifespan. The self-replicating feature was introduced this year, while a monetisation element dates back to 2024, according to Endor Labs. The latter could explain the motivation behind it. A large number of packages apparently abuse the TEA protocol, a blockchain-based system which is designed to reward open-source contributors with tokens.

“The mix suggests experimentation: testing how far a worm can spread inside npm”
Brian Fox

In theory, the campaign could also be updated in the future to include malicious payloads in the offending packages. At the very least, it exploits registry bandwidth, infrastructure, and storage while flooding the ecosystem with low-quality packages that “obscure legitimate software and degrade trust in the open source community”, according to AWS.

Sonatype CTO Brian Fox isn’t sure this is a financially motivated campaign. “If profit were the goal, you’d see a consistent pattern of monetisation across every infected package. Instead, the mix suggests experimentation: testing how far a worm can spread inside npm, how fast it moves, and what kind of noise it makes,” he tells Assured Intelligence.

“That kind of probing worries me more than a smash-and-grab. It tells us someone’s mapping the ecosystem for a future hit. And when an attack creates this much chaos, it also creates cover. It’s worth asking: did anything else slip through while everyone was distracted?”

Start with automated monitoring

Endor Labs CTO, Dimitri Stiliadis, tells Assured Intelligence that the threat is “more of an annoyance than an immediate danger” at present.

“Security teams are actively updating databases like OSV.dev with indicators from this campaign,” he adds. “Organisations are scanning dependencies, updating blocklists, and incorporating detection tools.”

Randolph Barr, CISO at Cequence Security, explains that security teams should start with “version pinning”, using software bills of materials (SBOMs) to gain visibility into packages, and continuously monitoring publisher reputation and package behaviour.

“Adding AI-powered developer tools on top of that provides teams with a better understanding of behaviour by spotting things like obfuscation, inactive payloads, or strange patterns that regular scanners miss,” he tells Assured Intelligence. “The idea is simple: stop packages that look suspicious from ever getting into your pipeline, keep an eye on them for drift, and fail builds when ungoverned dependencies show up.”

Ontinue CISO, Gareth Lindahl-Wise, agrees that insight into code is essential to understand what it is doing at execution. He recommends a mix of automated and manual reviews. “Subscriptions to services which review code or give threat intel and blocklists is also useful and should be integrated into your development practices,” Lindahl-Wise tells Assured Intelligence.

Sonatype’s Fox explains that automation is key to rapid response and recovery, flagging unusual behaviour like sudden version spikes or new maintainers appearing. “Mirror trusted packages internally so you’re not pulling directly from public registries,” he advises. “And assume compromise is inevitable. Sandbox what you can, restrict network permissions, and make sure a single bad package can’t take down your whole environment. The goal isn’t perfection; it’s containment.”

A sign of things to come

This isn’t the first worm to hit the npm ecosystem. Within the space of just a few weeks, users have been assailed by Glass Worm, which targeted VS Code extensions, and Shai-Hulud, which compromised hundreds of packages with data-stealing malware. Fox warns that each campaign was “faster and more automated than the last”, adding that the community needs to keep pace.

“Open-source is the backbone of modern software, and if trust erodes, everything built on top of it does too”
Chad Cragle

“That means better intelligence sharing between registries and security teams, smarter detection that spots suspicious publishing patterns in real time, and more support for maintainers who are the first line of defence but often the least equipped,” he says.

Ontinue’s Lindahl-Wise suggests that npm, which was acquired by Microsoft-owned GitHub in 2020, may want to rethink how it delivers its services. “It is not beyond the realms of possibility for ‘tiered’ services to be developed – free with no scanning or subscription-based with some level of code scanning and scrutiny of publisher activity,” he argues.

Chad Cragle, CISO at Deepwatch, adds that both npm and reward systems like TEA need “stronger verification, better behaviour-based detection, rate limits, and quicker removal of junk packages.” He adds: “Open-source is the backbone of modern software, and if trust erodes, everything built on top of it does too.”

According to the experts, IndonesianFoods is unlikely to cause any lasting damage, beyond a mild case of digital indigestion. “But it’s a loud warning,” says Sonatype’s Fox. Time will tell whether that warning is heeded before the next worm strikes.