Another Round of TEA Protocol Spam Floods npm, But It’s Not a Worm

A recent npm spam campaign, inaccurately labeled as a "worm," is actually a continuation of a long-standing pattern of spam activity linked to the TEA Protocol's crypto reward scheme, which Socket has been monitoring for nearly two years. The campaign's goal is to artificially inflate the number of dependents for spam projects by creating fake dependency networks using random package names and tea.yaml files. Although some have described the campaign's characteristics as worm-like due to dependency chain spreading and a replicating publish script, these do not constitute true worm behavior, as there is no autonomous execution or malicious payload involved. The spam packages, which use random Indonesian food names rather than typosquatting popular ones, have not compromised accounts or spread maliciously. Despite generating significant operational friction by consuming registry resources and complicating automated malware detection, the campaign poses no direct security threat to developers. Efforts by individuals like Paul McCarty and organizations such as OpenSSF, which assigned malicious package identifiers and took down the spam packages, are crucial to maintaining the integrity of package registries.