Overview
- Sonatype now reports the tally has surpassed 100,000 spam packages, up from earlier counts around 44,000–46,000 documented in this long-running campaign.
- Each bogus package carries an auto.js or publishScript.js file that, when run manually, enters a loop that removes private flags, randomizes versions and names, and publishes new packages every seven to ten seconds.
- Interlinked dependencies cause installs to pull large trees of related spam packages, straining registry bandwidth and complicating cleanup.
- Endor Labs found tea.yaml files tied to TEA accounts in multiple packages, indicating a likely attempt to inflate impact scores for token rewards.
- GitHub says it has removed the identified packages and disabled offending accounts, while researchers warn the technique exposes a detection blind spot and could be reused.