By ByteBot
Amazon Inspector security researchers uncovered over 150,000 malicious npm malicious packages in November 2025, marking the largest supply chain attack in open source registry history. However, this wasn’t a traditional malware campaign. Instead, attackers weaponized tea.xyz’s blockchain-based developer reward system through coordinated token farming, creating functionless packages designed solely to extract cryptocurrency. The attack, detected via AI-powered pattern analysis starting October 24, exposes a dangerous truth: crypto incentive systems in open source can be gamed at unprecedented scale.
The Scale: 150,000 Packages in Three Weeks
Amazon Inspector identified the first suspicious patterns on October 24, 2025, deploying new AI-enhanced detection rules specifically targeting npm publishing anomalies. By November 7, thousands of packages were flagged. Moreover, the full scope emerged by November 12: over 150,000 malicious packages, making this attack 10 times larger than the previous record of 15,000 packages set in April 2024.
The attackers published packages at automated speeds, creating thousands daily through scripted generation. Human moderation never stood a chance. Furthermore, traditional registry safeguards, built for manual review, collapsed under the weight of industrial-scale automation. This isn’t just about numbers; it’s proof that supply chain security can’t rely on human gatekeepers anymore.
Token Farming: Gaming Blockchain Rewards
Unlike credential stealers or ransomware, these packages contained zero malicious code. Instead, they exploited tea.xyz, a blockchain protocol that rewards open source developers with cryptocurrency (TEA tokens) based on package metrics like downloads and dependencies. The protocol’s teaRank algorithm evaluates “perceived package usefulness” to determine rewards. Consequently, attackers gamed this by creating circular dependency chains.
Here’s how it worked: installing Package A automatically triggered installations of Packages B, C, and D, which referenced back to A, multiplying metrics without delivering any functionality. The packages had no legitimate code, just dependency structures designed to inflate teaRank scores. Developers installing one malicious package unknowingly triggered cascading installations of dozens more, all farming tokens in the background.
This reveals a fundamental flaw in blockchain-based open source funding: automated rewards create perverse incentives. When algorithms reward quantity over quality and metrics over utility, exploitation is inevitable. Therefore, tea.xyz’s well-intentioned model proved catastrophically gameable.
Traditional Security Blind to New Attack Vector
Traditional vulnerability scanners failed completely because there were no CVEs to detect. The packages weren’t exploiting software bugs; they were exploiting economic incentive design. As a result, this is what makes token farming dangerous—it bypasses every security tool developers currently trust.
AI Detection Breakthrough
Amazon Inspector’s AI-paired detection rules caught what human moderators missed. The system analyzed publishing velocity, dependency structures, metadata anomalies, and tea.xyz protocol tagging to identify coordinated campaigns. Additionally, rule-based matching flagged automated publishing speeds and circular dependencies, while machine learning uncovered the tooling signatures behind the campaign.
The timeline speaks for itself: AI deployment on October 24, thousands of packages flagged within two weeks, and the full 150,000-package scope revealed by November 12. Human review couldn’t scale to this volume—AI could. In fact, this marks the opening salvo in the AI versus AI arms race for supply chain security. As threat actors automate attacks, defenders need automated analysis. The era of manual package review is over.
What Developers Should Do
JavaScript and Node.js developers need to audit all npm dependencies installed after October 2025. Check for recently created packages with suspiciously high dependency counts, circular dependency chains, and tea.xyz metadata tags. Start with these commands:
# Check for suspicious circular dependencies
npm ls --all | grep -E "deduped|circular"
# Audit packages installed since October 2025
npm audit
# Examine package metadata for tea.xyz tags
npm view <package-name> --json | grep -i "tea"
Beyond command-line checks, verify packages have legitimate GitHub repositories with real commit activity, not auto-generated repos. Specifically, use automated scanning tools like Socket.dev, Snyk, or JFrog Curation for proactive vetting. Traditional reactive scanning—waiting for CVE databases to update—won’t catch token farming. You need behavioral analysis, not signature matching.
Moreover, examine your full dependency trees. Your project might not directly install token farming packages, but they could hide deep in transitive dependencies. One malicious package triggers cascades that traditional audits miss.
Key Takeaways
- Over 150,000 malicious npm packages represent the largest supply chain attack in open source history, dwarfing previous incidents by 10x
- Token farming exploits blockchain reward algorithms rather than deploying malware, bypassing traditional vulnerability scanners entirely
- AI-powered detection by Amazon Inspector caught coordinated attack patterns that manual review missed, signaling the shift to automated supply chain security
- Blockchain-based open source funding models like tea.xyz face fundamental design flaws when automated rewards can be gamed through metric inflation
- Developers must shift from reactive CVE scanning to proactive behavioral analysis, auditing dependencies for suspicious patterns rather than waiting for known exploits
The tea.xyz attack exposes a hard lesson: automated cryptocurrency rewards for open source contributions sound innovative but create exploitable incentive structures. GitHub Sponsors’ human verification and Open Collective’s transparent governance start looking smarter than algorithmic token distribution. In conclusion, as the supply chain threat landscape evolves, human curation beats gameable automation every time.
