I’ve identified an NPM worm that has published over 64,000 malicious packages to the NPM registry, affecting at least seven NPM users. This attack concentrates on creating new packages, rather than stealing credentials or other more immediately malicious behaviours.

This attack more than doubles the known number of malicious NPM packages.

What is the IndonesianFoods Worm?

The IndonesianFoods worm is a long-term, coordinated attack targeting the NPM (Node Package Manager) ecosystem. The campaign gets its name from the bizarre internal dictionary and distinctive naming scheme used across the malicious packages. What makes this threat particularly concerning is that the attackers took the time to craft an NPM worm, rather than a singular attack. Even worse, these threat actors have been staging this for over two years.

Because of the sheer volume of packages and data, I have created a GitHub repository that includes all the repositories and users’ data. That repo is: https://github.com/6mile/Indonesian-Foods-Worm

The Actors Behind the Attack

Security analysis has identified seven NPM user accounts that appear to be part of this coordinated campaign:

• voinza – 13146 packages
• yunina – 12850 packages
• noirdnv – 12072 packages
• veyla – 11942 packages. Payload is in the auto.js file.
• vndra – 11870 packages
• doaortu – 496 packages.
• jarwok – 1821 packages

Each of these accounts appears to have been created to deploy these packages, and don’t appear to be legitimate accounts that have been compromised.