150K malicious npm packages detected in token farming blitz

150,000 Malicious Packages Found in npm Registry

Amazon Inspector security researchers just identified what might be the largest package flooding attack ever: 150,000+ fake npm packages, all part of a coordinated token farming scheme.

Here's what happened:

Threat actors created self-replicating packages with no real functionality. They embedded blockchain wallet addresses (tea.yaml files) to automatically earn cryptocurrency rewards. The whole thing was automated. Bots generating bots generating more bots.

The scary part? These aren't traditional malware. No ransomware. No credential theft. Just pollution. Registry bloat. Wasted bandwidth. Dependency confusion. Trust erosion.

The detection: On October 24, Amazon Inspector deployed AI-paired detection rules. Within days, thousands of suspicious packages flagged. By November 7, they knew it was coordinated. By November 12, over 150,000 packages identified and reported to OpenSSF. MAL-IDs assigned in 30 minutes each.

Why this matters: Financial incentives are driving new attack vectors. If reward systems exist, attackers will find ways to game them. This campaign could inspire copy-cats targeting other reward-based platforms.

What you should do: Audit your dependencies. Remove low-quality packages. Use Amazon Inspector to check for tea.xyz linked packages. Pin versions. Enforce SBOMs. Isolate CI/CD environments.

Supply chain security just got more complicated. The threat landscape keeps evolving.