Automated Spam Campaign Floods GitHub/NPM with 1000s of Garbage Packages
A spam campaign by Tea[.]xyz floods npm Registry with garbage packages to boost dependents, causing infrastructure slowdowns. Spammers exploit Tea protocol, GitHub workflows, and npm, facing criticism and monitoring.
Read original article
A recent spam campaign by Tea[.]xyz has flooded the npm Registry with thousands of garbage packages, aiming to boost the number of dependents for spammers' projects. The campaign, ongoing and active, has caused infrastructure slowdowns due to spam packages with auto-generated names and thousands of transitive dependencies. The Tea protocol, led by Max Howell, rewards maintainers based on project utilization, but it has attracted criticism for its susceptibility to spam. The spammers create dependency trees with fake packages to inflate numbers artificially. GitHub workflows are used to automate the generation and publishing of these spam packages, violating GitHub's policies against excessive bulk activity and inauthentic engagement. The spammers are reported as they continue to distribute these packages. The situation is being closely monitored as the abuse of GitHub and npm persists.
Related
Polyfill supply chain attack hits 100K+ sites
A supply chain attack on Polyfill JS affects 100,000+ websites, including JSTOR and Intuit. Malware redirects mobile users to a betting site. Users advised to switch to trusted alternatives like Fastly and Cloudflare.
Reputation Farming Using Closed GitHub Issues
Reputation farming on GitHub involves manipulating closed issues and pull requests to falsely boost accounts' reputation. Maintainers are urged to monitor activity, report suspicious behavior, and automate checks to prevent this deceptive practice.
If you're using Polyfill.io code on your site – remove it immediately
A Chinese organization acquired polyfill.io, infecting 100,000+ websites with malware. Security warnings urge removal of its JavaScript code. Google blocks ads on affected sites. CDN mirrors aim to reduce risks.
384k sites pull code from sketchy code library recently bought by Chinese firm
Over 384,000 websites linked to a code library in a supply-chain attack by a Chinese firm. Altered JavaScript code redirected users to inappropriate sites. Industry responses included suspensions and replacements.
Unverified NPM Account Takeover Vulnerability for Sale on Dark Web Forum
A threat actor is selling an unverified npm vulnerability for account takeover on BreachForums. npm has not confirmed the vulnerability. The dark web forum's reputation for cybercrime raises doubts. npm Registry is a prime target for attacks, emphasizing the need for security measures like enabling 2FA and code review.
3 commentsWhy make my life difficult then?
I tried to create an account to sync my vscode settings. After about half an hour trying to create an account without some not “big tech” email provider I finally succeed, but they delete my account the next day for no good reason.
Now I just manually set settings on my different computers and manually copy over changes when I need. Microsoft can take a hike. I don’t need your sync. I’ll find a way around.
Related
Polyfill supply chain attack hits 100K+ sites
A supply chain attack on Polyfill JS affects 100,000+ websites, including JSTOR and Intuit. Malware redirects mobile users to a betting site. Users advised to switch to trusted alternatives like Fastly and Cloudflare.
Reputation Farming Using Closed GitHub Issues
Reputation farming on GitHub involves manipulating closed issues and pull requests to falsely boost accounts' reputation. Maintainers are urged to monitor activity, report suspicious behavior, and automate checks to prevent this deceptive practice.
If you're using Polyfill.io code on your site – remove it immediately
A Chinese organization acquired polyfill.io, infecting 100,000+ websites with malware. Security warnings urge removal of its JavaScript code. Google blocks ads on affected sites. CDN mirrors aim to reduce risks.
384k sites pull code from sketchy code library recently bought by Chinese firm
Over 384,000 websites linked to a code library in a supply-chain attack by a Chinese firm. Altered JavaScript code redirected users to inappropriate sites. Industry responses included suspensions and replacements.
Unverified NPM Account Takeover Vulnerability for Sale on Dark Web Forum
A threat actor is selling an unverified npm vulnerability for account takeover on BreachForums. npm has not confirmed the vulnerability. The dark web forum's reputation for cybercrime raises doubts. npm Registry is a prime target for attacks, emphasizing the need for security measures like enabling 2FA and code review.