A sophisticated and self-replicating worm, dubbed the “IndonesianFoods-worm,” has flooded the npm registry with tens of thousands of malicious packages, posing a significant threat to the software supply chain. Security researchers from SourceCodeRed and JFrog have independently documented this aggressive campaign, which began around November 10, 2025.
The worm, written in JavaScript, executes a complex series of actions to ensure its proliferation. It generates random package names, often drawing inspiration from Indonesian cuisine like indomie-goreng-enak and nasi-goreng-ayam. Once a system is compromised, the worm modifies package.json files to force packages into public visibility and assigns arbitrary version numbers before publishing new malicious iterations to the npm registry. This automated process occurs at an alarming rate, with a new package emerging approximately every seven seconds.
Delving into the worm’s mechanics, JFrog Security Research explains that the malicious code embeds a ‘preinstall’ script within the package.json file. This script detects the presence of npm or yarn and subsequently executes indonesianfoods.js. The indonesianfoods.js file then queries the npm registry for the 500 most popular packages, randomly selecting one to serve as a template for generating a new, infected package. Furthermore, the worm perniciously alters the .npmrc file, redirecting it to an attacker-controlled registry at http://indonesianfoods.my.id:8080/. This redirection effectively hijacks legitimate npm install and npm publish commands, funneling developers toward compromised sources.
The scale of this operation is substantial. SourceCodeRed, through the analysis of Paul McCarty, identified 43,900 packages originating from 11 distinct accounts. JFrog’s comprehensive research, spearheaded by Andrii Polkovnychenko, revealed an even broader scope, documenting over 80,000 variants distributed from 18 different user accounts. Paul McCarty of SourceCodeRed succinctly captured the rapid escalation, stating, “The number of known malicious NPM packages just doubled in a day!”
The precise motive behind the “IndonesianFoods-worm” campaign remains ambiguous. However, JFrog has issued a cautionary note, suggesting that the current wave of activity could serve as a preparatory phase for a more potent future campaign. Such a test would leverage the established infrastructure to deploy significantly more harmful payloads, amplifying the potential for widespread damage to software projects reliant on the npm ecosystem.
This incident underscores the persistent and evolving challenges in maintaining the integrity of software supply chains. Developers are urged to exercise heightened vigilance regarding package provenance and to implement robust security practices to mitigate the risk of inadvertently integrating malicious components into their projects.