SBN

Devs flood npm with 15,000 packages to reward themselves with Tea ‘tokens’

We have repeatedly come across cases involving open source registries like npm and PyPI being flooded with thousands of packages in a short span of time. Typically, such surges in publishing activity are related to malware, dependency confusion PoCs, or just …annoying SEO spam leveraging these registries.

It’s not every day though that we see a virtually benign flood of packages that otherwise aren’t conducting anything dangerous — well then, why the flood?

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog NEW 2024 authored by Ax Sharma. Read the original post at: https://www.sonatype.com/blog/devs-flood-npm-with-10000-packages-to-reward-themselves-with-tea-tokens