VTA-004541 – IndonesianFoods Campaign Pollutes NPM Ecosystem With Automated Malware Publishing

A newly uncovered campaign known as the IndonesianFoods NPM Worm has emerged as one of the largest ecosystem-pollution attacks ever identified within the Node Package Manager (NPM) registry. This worm’s primary objective is volume-based disruption. The operators have already published over 78,000 malicious packages, nearly doubling the total number of known malicious NPM packages.

The name “IndonesianFoods” comes from the worm’s strange internal dictionary of Indonesian names and food-related terms, used to automatically generate package names such as “andi-rendang23-breki”. Analysts have identified at least 55 malicious NPM accounts, including veyla, noirdnv, bipyruss, mipppp, vndra and many more. Each account publishes packages using automation files such as auto.js, publishScript.js or index.js, which continuously generate new package names, manipulate package.json metadata, randomize version numbers and deploy packages on repeat, sometimes as frequently as one new package every 7 seconds. To avoid casual detection, many of the malicious projects masquerade as legitimate JavaScript frameworks, including fake Next.js projects.

The attack weaponizes the NPM registry itself, overwhelming it with junk packages, degrading overall ecosystem quality and increasing the chance that developers or CI/CD pipelines might accidentally install malicious or broken dependencies. 

Because this campaign produced tens of thousands of indicators of compromise, including package names, malicious publisher accounts and associated files, the complete IOC dataset is too large to list inline. To support defenders, the full IOC collection containing all 43,964 repositories, the 55 malicious NPM accounts and all payload file references has been published publicly and can be found in the GitHub IOC Repository (https://github.com/6mile/Indonesian-Foods-Worm) and OpensourceMalware.com Database (https://opensourcemalware.com ).

Severity:
Medium

Attack Surface:
Cloud Service, Cloud Storage, Content Management System, Database, Email, Endpoint, Server OS, Supply Chain (Third-party vendors)

Tactics:
Defense Evasion, Impact, Persistence, Resource Development

Techniques:
T1587.001 – Resource Development
T1587.001 – Develop Capabilities: Malware
T1053.005 – Persistence
T1053.005 – Scheduled Task/Job
T1547.009 – Boot or Logon Autostart Execution
T1027 – Defense Evasion
T1027 – Obfuscated Files or Information
T1036 – Masquerading
T1498 – Impact
T1498 – Network Denial of Service
T1499 – Endpoint Denial of Service

Indicator of Compromise:
1. https://otx.alienvault.com/pulse/69169872a0119f0e087f37f4

References:
1. https://sourcecodered.com/indonesianfoods-npm-worm/
2. https://github.com/6mile/Indonesian-Foods-Worm
3. https://opensourcemalware.com/

SuperPRO’s Threat Countermeasures Procedures:
1.Implement dependency pinning using package-lock.json or pnpm-lock.yaml and enforce npm ci to prevent accidental installation of newly created malicious packages.
2.Block known malicious NPM publisher accounts and configure .npmrc to restrict installations from unverified publishers, including disabling install scripts
3.Integrate automated supply chain scanning in CI/CD using tools such as Socket.dev to detect suspicious packages or obfuscated payloads.
4.Use private package registries like JFrog Artifactory or Sonatype Nexus to ensure only vetted packages enter organizational environments.
5.Monitor for abnormal publishing activity, including rapid or automated npm publish operations.
6.Perform static checks on NPM packages to flag unusual naming patterns (Indonesian-food-themed names) or fake Next.js structures lacking legitimate directories.

Contributed by: Thivya