Cybersecurity researchers from Checkmarx have identified a massive spam campaign that targeted the npm open-source package registry. The operation involved the publication of nearly 150,000 malicious packages over a period of several days in a scheme described as a token farming operation.

Token farming is a method where threat actors publish packages containing links to specific websites. The primary objective is to drive traffic to these sites to collect rewards or tokens, which can come from advertising revenue or referral programs.

Campaign Mechanics and Scale

The malicious packages were published using over 1,000 different user accounts created by the attackers. The content of these packages often consisted of direct copies or slightly modified versions of legitimate and popular npm packages, making them appear functional at first glance.

Within the code of these copied packages, the operators embedded links that directed users to various e-commerce, finance, and cryptocurrency-related websites. The operation was designed solely to generate web traffic for the financial benefit of the campaign’s orchestrators.

Black-Hat SEO and Registry Pollution

To ensure the packages were discovered, the attackers utilized black-hat search engine optimization (SEO) tactics. The package descriptions and README files were populated with keywords related to popular search terms, including “free cheats,” “free followers,” and “free robux.”

This technique was intended to make the spam packages appear in search engine results for common queries. While the campaign was not designed to install traditional malware on developer systems, its main impact was the significant pollution of the npm ecosystem, creating a large volume of noise that hinders developers from finding legitimate packages. The npm security team was notified and took action to remove the malicious packages.