Cybersecurity researchers are sounding the alarm about a massive spam campaign that has dumped over 67,000 fake packages into the npm registry since early 2024. The effort appears financially motivated, aiming to clutter the registry rather than stealing data or launching direct attacks. The packages, often disguised as legitimate Next.js projects, are named with Indonesian terms, earning the nickname "IndonesianFoods Worm." This coordinated effort has persisted for nearly two years, with a small network of accounts responsible for publishing the junk. Each fake package contains a dormant JavaScript file that requires manual execution to activate. When run, the script enters an infinite loop, removing privacy settings from the package metadata and creating random package names to bypass npm's version checks. This process allows a new package to be published every 7 to 10 seconds, leading to a staggering rate of approximately 17,000 new packages daily. The campaign is not just about quantity; it strains npm's infrastructure and poses risks for developers who might inadvertently install these malicious packages. The attackers are likely leveraging this operation to earn TEA tokens by inflating their impact scores on the decentralized Tea protocol. Analysis indicates that these spam packages reference each other as dependencies, which exacerbates the problem by triggering npm to fetch an expanding network of dependencies. Security experts have criticized existing scanning systems for failing to catch these packages during installation, as the malicious code only activates later. GitHub has removed the malicious packages and is committed to improving its detection methods, but the scale of this campaign highlights significant vulnerabilities in the npm ecosystem.