A coordinated token farming marketing campaign continues to flood the open supply npm registry, with tens of hundreds of contaminated packages created virtually every day to steal tokens from unsuspecting builders utilizing the Tea Protocol to reward coding work.
On Thursday, researchers at Amazon stated there have been over 150,000 packages within the marketing campaign. But in an interview on Friday, an government at software program provide chain administration supplier Sonatype, which wrote in regards to the marketing campaign in April 2024, advised CSO that quantity has now grown to 153,000.
“It’s unfortunate that the worm isn’t under control yet,” stated Sonatype CTO Brian Fox.
And whereas this payload merely steals tokens, different menace actors are paying consideration, he predicted.
“I’m sure somebody out there in the world is looking at this massively replicating worm and wondering if they can ride that, not just to get the Tea tokens but to put some actual malware in there, because if it’s replicating that fast, why wouldn’t you?”
When Sonatype wrote in regards to the marketing campaign simply over a yr in the past, it discovered a mere 15,000 packages that appeared to come back from a single particular person.
With the swollen numbers reported this week, Amazon researchers wrote that it’s “one of the largest package flooding incidents in open source registry history, and represents a defining moment in supply chain security.”
This marketing campaign is simply the most recent manner menace actors are profiting from safety holes in quite a lot of open supply repositories, which runs the chance of damaging the repute of web sites like npm, PyPI and others.
Related content material: Supply chain assaults and their penalties
“The malware infestation in open-source repositories is a full-blown crisis, out of control and dangerously eroding trust in the open-source upstream supply chain,” stated Dmitry Raidman, CTO of Cybeats, which makes a software program invoice of supplies resolution.
As proof, he pointed to the Shai‑Hulud worm’s speedy exploitation of the npm ecosystem, which exhibits how shortly attackers can hijack developer tokens, corrupt packages, and propagate laterally throughout all the dependency ecosystem. “What began as a single compromise explodes in a few hours, leaving the whole ecosystem and every downstream project in the industry at risk in a matter of days, regardless of whether it is open source or commercial.”
This previous September, Raidman wrote in regards to the compromise of the Nx construct system after menace actors…
