We have repeatedly come across cases involving open source registries like npm and PyPI being flooded with thousands of packages in a short span of time. Typically, such surges in publishing activity are related to malware, dependency confusion proof of concepts (PoCs), or just annoying SEO spam leveraging these registries.

It’s not every day though that we see a virtually benign flood of packages that otherwise aren’t conducting anything dangerous — well then, why the flood?

Tea Is Always the Answer

Data scientist Cody Nash, part of Sonatype’s release integrity team that powers our automated malware detection systems, noticed a spike this month in newly published npm packages that all appeared related to a single user.

Through several npm accounts, a dev named One Dionys published upwards of 13,995 packages on the platform.

Each of these packages depend on several other packages published by the same person. These packages also contain minimal code cloned from legitimate open source packages, making them capable of delivering minimal functionality for specific tasks. But, their purpose remains unclear.

At first, we wondered if this was an ‘everything’-style attack that entailed an npm package called ‘everything’ listing literally every package on npmjs.com as its dependency. This is virtually impossible for all other developers to delete their own packages. But, that wasn’t it.

An absence of malicious or suspicious code in these packages also made it difficult to understand what the dev’s motives were.

Our sharp-eyed security researcher Daniel Aguirre took note of harmless ‘tea.yaml‘ files included in each of these packages that make their purpose clear.

YAML (Yet Another Markup Language) is a human-readable data serialization language commonly used for defining configuration files and in applications where data is stored or transmitted. As such, it is quite easy to miss (Read more...)