Ethical Hacking News
Amazon's security researchers have uncovered a shocking case of token farming malware that has infected over 150,000 malicious packages on the npm registry. The attack, which was described as "one of the largest package flooding incidents in open source registry history," saw attackers flood the npm registry with thousands of low-quality, non-functional packages linked to a coordinated TEA token farming campaign. Learn more about this disturbing incident and how it affects the open-source ecosystem.
Over 150,000 malicious packages were infected with token farming malware on npm. The attack was described as one of the largest package flooding incidents in open source registry history. The attackers created a self-replicating attack that infected packages with code to automatically generate and publish TEA tokens. The malicious packages were linked to attacker-controlled blockchain wallet addresses, allowing them to collect TEA tokens without consent. Amazon coordinated with OpenSSF on a response, submitting malicious packages to the repository and urging developers to remove low-quality packages.
Amazon's security researchers have uncovered a shocking case of token farming malware that has infected over 150,000 malicious packages on the popular open-source registry platform, npm. The attack, which was described as "one of the largest package flooding incidents in open source registry history," saw attackers flood the npm registry with thousands of low-quality, non-functional packages linked to a coordinated TEA token farming campaign.
The incident is believed to have started in late October when Amazon's security researchers first spotted suspicious activity on the platform. Using new detection rules and AI assistance, the team was able to flag thousands of malicious packages and uncover the full extent of the attack by November 12. The attackers had created a self-replicating attack that infected the packages with code to automatically generate and publish TEA tokens, earning cryptocurrency rewards on the backs of unsuspecting open-source developers.
The malicious packages were linked to a decentralized protocol designed to reward open-source developers for their contributions using the TEA token, a utility asset used within the tea ecosystem for incentives, staking, and governance. The attackers had created tea.yaml files that linked these packages to attacker-controlled blockchain wallet addresses, allowing them to automatically collect TEA tokens without any knowledge or consent from the legitimate users.
"This incident demonstrates both the evolving nature of threats where financial incentives drive registry pollution at unprecedented scale, and the critical importance of industry-community collaboration in defending the software supply chain," said Chi Tran and Charlie Bacon, Amazon's security researchers. "The success of this campaign could inspire similar exploitation of other reward-based systems, normalizing automated package generation for financial gain."
Amazon has coordinated with the Open Source Security Foundation (OpenSSF) on a response to the incident, submitting newly-discovered malicious packages to the OpenSSF malicious packages repository and ensuring that each package received a MAL-ID within 30 minutes. The company is urging developers to remove low-quality, non-functional packages and harden their supply chains, including using software bills of materials (SBOMs) and isolating continuous integration and continuous delivery (CI/CD) environments.
The attack highlights the evolving nature of threats in the open-source ecosystem, where financial incentives can drive malicious activity on a large scale. It also underscores the importance of industry-community collaboration in defending against these types of attacks. By working together, developers, vendors, and security researchers can help to protect the software supply chain from exploitation by malicious actors.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Great-TEA-Token-Farming-Scandal-How-150K-NPM-Packages-Were-Hijacked-to-Harvest-Cryptocurrency-Rewards-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2025/11/14/selfreplicating_supplychain_attack_poisons_150k/
https://thehackernews.com/2025/07/malware-injected-into-6-npm-packages.html
https://cybersecuritynews.com/threat-actors-hijack-popular-npm-packages/
Published: Fri Nov 14 12:33:00 2025 by llama3.2 3B Q4_K_M
