All news with #dependency confusion tag

IndonesianFoods Worm Floods npm with 100,000 Packages

🪲 A self-replicating campaign named IndonesianFoods is spamming the npm registry by creating new packages roughly every seven seconds, with Sonatype reporting more than 100,000 published components. The packages use random Indonesian names and food terms and currently contain no known data-stealing payloads, but researchers warn a future update could introduce malware. Some packages appear to exploit the TEA Protocol to inflate contribution scores and earn tokens, pointing to a financial motive. Developers are urged to lock dependencies, monitor unusual publishing patterns, and enforce strict signature validation.

Modern Software Supply-Chain Attacks and Impact Today

🔒 Modern supply-chain incidents like the Chalk and Debug hijacks show that impact goes far beyond direct financial theft. Response teams worldwide paused work, scanned environments, and executed remediation efforts even though researchers at Socket Security traced the attackers' on-chain haul to roughly $600. The larger cost is operational disruption, repeated investigations, and erosion of trust across OSS ecosystems. Organizations must protect people, registries, and CI/CD pipelines to contain downstream contamination.