Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
Malware

IndonesianFoods Worm

IndonesianFoods worm is a self-replicating malware campaign targeting the NPM ecosystem. Researchers reported it was distributed through tens of thousands of malicious packages published to the NPM registry, with SourceCodeRed identifying more than 43,900 packages across 11 accounts and JFrog observing over 80,000 packages across 18 accounts. The malware is also associated with the campaign name "Big Red," but "IndonesianFoods worm" is the malware name used in the provided content.

Its core behavior is automated package generation and publication. The worm generates random package names, modifies package.json metadata to make packages public, assigns random version numbers, and publishes the resulting packages to NPM in an infinite loop. SourceCodeRed reported it can publish a new package roughly every seven seconds. The malicious packages were described as containing only the self-replicating publishing logic and often disguised themselves as legitimate Next.js applications to avoid detection. The naming scheme used Indonesian names and food terms, with additional randomized words such as adjectives, colors, and animal names also reported.

JFrog reported that the worm reuses a victim user's stored NPM credentials to publish newly generated packages. Based on the provided content, researchers said the campaign did not directly steal credentials or data, unlike many other NPM supply-chain attacks. Its observed impact was to flood the registry with junk packages, pollute NPM search results, waste registry infrastructure resources, and create supply-chain risk if developers accidentally installed one of the malicious packages. The exact objective remains unclear, though JFrog assessed it may be a dry run for future use of the same infrastructure to distribute more harmful payloads.

Targeting is specific to the Node.js/NPM software supply chain rather than a particular industry. High-confidence indicators from the content are primarily behavioral: massive volumes of fake NPM packages, package names following Indonesian-food-themed or similarly randomized naming patterns, packages masquerading as Next.js projects, and package contents focused on self-replicating automated publishing logic.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
MITRE ATT&CK

Techniques & procedures

3 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

2 techniques
T1195Supply Chain CompromiseEvidence1

A threat actor has published tens of thousands of malicious NPM packages that contain a self-replicating worm... Unlike recent supply chain attacks on NPM, the code used in this campaign does not steal credentials or data, but abuses the ecosystem for spam.

T1195.001Compromise Software Dependencies and Development ToolsEvidence1

The malicious code was designed to generate random names, modify the package.json files to make the packages public and add random version numbers, and publish the packages to the NPM registry.

Stealth

1 technique
T1036MasqueradingEvidence1

The malware disguises itself as a legitimate Next.js application to avoid detection.

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app
talos intelligence blogNews
Nov 20, 2025
It’s not personal, it’s just business

A worm-like spam/supply-chain campaign propagating via large volumes of fake npm packages masquerading as Next.js projects, using a distinctive Indonesian-themed naming scheme.

Read more
source code red blogNews
Nov 11, 2025
NPM Worm IndonesianFoods Publishes 64k Packages Threat - SourceCodeRed

The IndonesianFoods Worm is a coordinated malware campaign that automates the creation and publication of over 64,000 malicious spam packages to the NPM registry. It does not steal credentials or data directly, but floods the ecosystem with junk packages, polluting search results and increasing supply chain risk for developers who may inadvertently install these packages. The worm disguises itself as a legitimate Next.js application and operates in an infinite loop, publishing a new spam package every 7 seconds.

Read more
security weekNews
Dec 3, 2025
Tens of Thousands of Malicious NPM Packages Distribute Self-Replicating Worm

A self-replicating malicious NPM package worm that abuses stored NPM credentials to automatically generate, version, and publish large volumes of junk packages to the NPM registry. It appears focused on ecosystem spam and supply-chain pollution rather than credential theft or data exfiltration, and disguises itself as a legitimate Next.js application to evade detection.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping3

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.