Automated Package-Publication Incident IndonesianFoods in the NPM Ecosystem Linked to Crypto Reward-Farming Scam

In November 2025, security researchers identified a significant increase in package publications on the NPM registry, initially raising concerns of worm activity. However, the surge was traced back to an outdated automation script tied to a defunct cryptocurrency reward scheme, posing minimal risk as no active exploit has been detected. The incident involved five distinct packages, replicated thousands of times with minor name variations, and primarily served to continuously publish packages rather than execute malicious code. With an average of only 18 monthly downloads per package, the event underscores the critical need for automated dependency-health checks and registry monitoring to prevent potential supply-chain risks. Developers are encouraged to use tools like Snyk for vulnerability assessments and to implement policies that flag low-download or bulk-uploaded packages. Registry operators are advised to enhance their monitoring systems to detect bulk publication patterns and metadata anomalies. The incident serves as a reminder of the importance of maintaining robust dependency hygiene and registry practices to safeguard against potential threats, even when they appear benign.