Executive Summary

In a significant and novel supply chain attack, security researchers have discovered that over 150,000 malicious packages were uploaded to the npm registry. This campaign, described as one of the largest package flooding incidents in open-source history, represents a strategic shift in threat actor motivation. Instead of direct compromise, the attackers' goal was to abuse the economic model of tea.xyz, a Web3 protocol designed to reward open-source contributors. By flooding the registry with self-replicating junk packages linked to their crypto wallets, the attackers aimed to illegitimately farm 'TEA tokens'. This incident highlights the emergence of new threats driven by cryptocurrency incentives that can pollute software ecosystems at an unprecedented scale.

Threat Overview

The campaign was first detected in late October 2025 and fully uncovered by November 12. The attackers created numerous developer accounts on npm and used them to publish a massive volume of junk packages. The code within these packages was designed to be self-replicating, automatically generating and publishing even more packages, leading to an exponential flood of malicious content on the registry.

The core of the scheme was the tea.yaml configuration file included in each package. This file linked the package to blockchain wallet addresses controlled by the attackers. The tea.xyz protocol is designed to analyze open-source contributions and distribute 'TEA token' rewards to developers. By creating a vast, interconnected web of seemingly legitimate (but actually worthless) packages, the attackers sought to game this system and siphon cryptocurrency rewards from the ecosystem. Any developer who downloaded and used these packages would unwittingly contribute to the perceived value and activity of the attackers' projects, further fueling the token farming operation.

Technical Analysis

The attack relied on automation and a deep understanding of the tea.xyz incentive mechanism.

• Package Flooding: The primary technique was overwhelming the npm registry with a high volume of packages. This makes it difficult for security tools and human moderators to distinguish between legitimate and malicious content.
• Self-Replication: The code within the packages contained logic to automate the creation and publication of new, similar packages, allowing the campaign to scale rapidly with minimal manual effort.
• Configuration Abuse: The attackers placed a tea.yaml file in each package. This file is used by the tea.xyz protocol to identify the project and its contributors for reward distribution. The attackers populated this file with their own wallet addresses.

This incident was uncovered by Amazon Web Services (AWS) security researchers at Amazon Inspector, who utilized a new detection rule combined with AI assistance to flag the highly coordinated and suspicious activity.

MITRE ATT&CK Techniques

• T1195.002 - Compromise Software Supply Chain: Compromise Software Development Environment: While not compromising an existing environment, the attackers polluted the public npm registry, which is a core part of the software development environment for millions of developers.
• T1554 - Compromise Client Software Binary: By publishing malicious packages, the attackers aimed to have them integrated into downstream software, thereby compromising client software binaries.

Impact Assessment

The primary impact of this campaign is the pollution and degradation of trust in the open-source ecosystem. While it did not directly steal user data, it created a massive amount of noise, making it harder for developers to find legitimate packages and for security teams to identify genuine threats. It also successfully abused a system designed to support open-source developers, potentially undermining the viability of such incentive programs in the future. This type of attack represents a systemic risk to software supply chains, where the sheer volume of malicious content can overwhelm defensive measures.

Detection & Response

• Registry Monitoring: Open-source registries like npm must enhance their monitoring and vetting processes to detect large-scale, automated package publication from coordinated accounts. Using AI-assisted tools, as AWS did, is crucial for identifying such patterns.
• Dependency Scanning: Developers should use automated dependency scanning tools that check for more than just known vulnerabilities. Scanners should also flag suspicious package characteristics, such as a very recent publication date, no legitimate dependents, or inclusion in known blocklists.
• Behavioral Analysis: Implement D3FEND's File Analysis (D3-FA) to inspect package contents for suspicious scripts, especially those related to automated publishing or cryptocurrency wallets.

Mitigation

• Stricter Vetting: Registries should consider implementing stricter vetting processes for new publishers and for the automated publication of packages, such as rate-limiting or requiring additional verification for high-volume uploads.
• Developer Due Diligence: Developers must perform due diligence before adding a new dependency. This includes checking the package's author, its history, its number of dependents, and looking for any public discussion about its legitimacy.
• Immutable Dependencies: Use lockfiles (e.g., package-lock.json) to ensure that the versions of dependencies do not change unexpectedly, preventing a compromised package from being introduced during a build. This is a form of Application Configuration Hardening (D3-ACH).