Security Researchers Spot 150,000 Function-less npm Packages in Automated ‘Token Farming’ Scheme

An anonymous reader shared this report from The Register:

Yet another supply chain attack has hit the npm registry in what Amazon describes as “one of the largest package flooding incidents in open source registry history” — but with a twist. Instead of injecting credential-stealing code or ransomware into the packages, this one is a token farming campaign.

Amazon Inspector security researchers, using a new detection rule and AI assistance, originally spotted the suspicious npm packages…