Self-replicating worm floods NPM with junk packages.

Researchers warn that tens of thousands of malicious NPM packages have been published in a campaign abusing the ecosystem for spam rather than data theft. Dubbed the IndonesianFoods worm by SourceCodeRed and Big Red by JFrog, the malware generates random names and versions, then publishes new packages every few seconds. JFrog found over 80,000 such packages across 18 accounts, all containing self-replicating publishing logic. While the purpose remains unclear, experts caution the activity could be a test run for more harmful payloads in future attacks.

Read more:

https://www.securityweek.com/tens-of-thousands-of-malicious-npm-packages-distribute-self-replicating-worm/