Understanding the IndonesianFoods Worm: A Large-Scale npm Spam Campaign
The Rise of the IndonesianFoods Spam Campaign
Recent investigations by security researchers have brought to light a significant spam initiative within the npm (Node Package Manager) ecosystem, referred to as the IndonesianFoods worm. Over the past two years, this operation has seen the publishing of more than 43,000 spam packages across at least 11 different user accounts. Unlike typical malware that might aim to steal user credentials or sensitive data, this particular campaign primarily targets the npm registry itself, filling it with irrelevant packages and thereby compromising the platform’s integrity.
Campaign Origins and Automation
The IndonesianFoods campaign has been active for over two years, carefully executing a strategy that consists of deploying dormant payloads masquerading as legitimate projects. In an in-depth investigation by Paul McCarty, he highlighted that the worm has efficiently operated through multiple accounts, complicating detection efforts. Essentially, it takes advantage of the open nature of npm’s publishing model, allowing for the repeated generation of packages that ultimately pollute the registry.
Unique Naming Structure of the IndonesianFoods Worm
What sets the IndonesianFoods worm apart is its unique naming convention, which directly correlates with its origin. The script employed in this operation uses two primary embedded lists: one featuring common Indonesian personal names—such as Andi, Budi, Cindy, and Zul—and the other consisting of popular Indonesian food terms, like Rendang, Sate, Bakso, and Tapai.
When the script is activated, it randomly selects one name and one food-related term and combines them with a random number from 1 to 100, followed by a suffix such as “-kyuki” or “-breki.” For example, package names generated by the worm might appear as “andi-rendang23-breki” or “zul-tapai9-kyuki.” This quirky naming strategy not only lends a distinct identity to the worm but also ties it to Indonesian culture.
The Mechanism Behind Account Operations
The operation has been traced back to at least 11 npm accounts, each specifically created for this campaign. These accounts include names such as voinza, yunina, noirdnv, veyla, and others. Together, they have facilitated the publication of thousands of spam packages. It’s important to note that these accounts do not appear to be compromised; rather, they are operating independently to execute the spam campaign.
When the malware runs, typically initiated via a script like auto.js, it modifies the package.json file to assign random version numbers. The command npm publish is then repeatedly triggered in an infinite loop, leading to the creation of a new spam package approximately every seven seconds. This relentless activity not only burdens npm’s infrastructure but also carries the risk of contaminating genuine projects if developers inadvertently install one of these fake packages.
Potential Impacts on Developers
While the IndonesianFoods worm does not directly compromise credentials or user data, it serves to transform the npm registry itself into a vector for attack. By exploiting the platform’s openness, the worm spreads a substantial volume of fake packages, creating friction for developers navigating the npm ecosystem. Such overwhelming quantities of irrelevant data can disrupt development processes, complicating package searches and installation.
A New Era for Spam Campaigns in Software Supply Chains
The emergence of the IndonesianFoods worm underscores a growing trend in software supply chain attacks that leverage automation and persistent strategies to dodge detection systems. Over two years, attackers—believed to be linked to Indonesia—have inundated npm with tens of thousands of malicious packages, leading to a notable erosion of trust within open-source ecosystems.
For organizations striving to safeguard their environments against such escalating threats, platforms like Cyble’s AI-native threat intelligence suite can be invaluable. Their tools help in the detection, forecasting, and neutralization of emerging cyber risks. Engaging with them can provide critical insights into vulnerabilities and bolster defenses against large-scale spam campaigns, much like the IndonesianFoods worm.
In summary, the ongoing challenge with the IndonesianFoods worm highlights the need for continuous vigilance and innovative security solutions in the face of evolving threats in open-source environments.
