In late 2025, security researchers tracking a campaign dubbed IndonesianFoods watched an npm publishing bot cross a threshold nobody had planned defenses for: more than 89,000 packages from a single interlinked operation, some reports citing figures north of 150,000 as the campaign kept running. The mechanism wasn't credential theft or a poisoned dependency — it was reward farming. The Tea Protocol pays TEA tokens to package authors based on a computed "impact score," derived from usage and dependency weight, and the campaign's operators realized that npm never verifies whether a dependency graph reflects real software or a farm built purely to inflate that score. Early waves in 2023-2024 were reported around 43,000 packages; by November 2025, Kaspersky, The Hacker News, and Endor Labs were independently tracking accelerated republishing, with new packages appearing roughly every 7-10 seconds — close to 17,000 a day at peak — through scripted calls to npm's publish API. This piece breaks down how the bots built their circular dependency graphs, how that scheme differs from the typosquat wallet-drainer campaigns hitting the same registry, and the concrete signals that let a registry or a security team catch bulk-publishing bots before they hit five figures.
What is the Tea Protocol, and why did it become a farming target?
Tea Protocol is a blockchain-based incentive layer that pays open-source maintainers TEA tokens proportional to an "impact score" it calculates from how widely a package is used and depended upon. That design is exploitable the moment impact can be manufactured rather than earned: if a scoring formula weights dependency count and download activity, an attacker doesn't need real users — they need packages that depend on each other in large numbers. IndonesianFoods operators dropped a tea.yaml manifest into each spam package to register it with the protocol, then built dense, circular dependency chains where package A depends on B, B depends on C, and C loops back toward A's cluster, so a handful of automated npm install calls anywhere in the graph registered as broad "usage" across tens of thousands of nominally independent packages. It's the software-supply-chain equivalent of click-farm bots inflating ad impressions — the token payout was the entire motive, not code execution on victim machines.
How did the campaign scale to tens of thousands of packages?
Scale came from full automation of npm's publish workflow, not manual account creation. Researchers at Kaspersky and Endor Labs described a bot that scripted the npm CLI or hit the registry's publish API directly, generating new package names, bumping version numbers, and pushing a fresh tea.yaml-bearing package on a fixed interval. The Hacker News' November 2025 reporting put the cadence at one new package roughly every 7 to 10 seconds sustained over long stretches — arithmetic that works out to over 8,000 packages a day even before accounting for parallel accounts. That pace is the tell: no human maintainer, or even a small team, publishes at that frequency, and the packages themselves were often near-empty shells whose only real content was the dependency declarations and the tea.yaml file needed to register for token rewards. The worm label stuck because later waves added self-propagating logic — freshly published packages would themselves trigger further publishes — turning a farming script into something that behaved like a self-sustaining infection of the registry's namespace.
How is reward farming different from npm typosquat wallet-theft campaigns?
Reward farming and wallet-draining typosquats share a registry but not a goal, and conflating them misreads the risk. IndonesianFoods-style farming doesn't need anyone to install its packages in a real project — the token payout comes from registration and inflated dependency metrics, so the "victim" is the protocol's economics, not a developer's machine. Contrast that with campaigns Socket's Threat Research Team disclosed in March 2026, where typosquats of popular Solana and Ethereum libraries — published under an account referenced as "galedonovan" — hooked the exact functions developers use to pass private keys and exfiltrated them to a hardcoded Telegram bot. A separate, earlier wave that The Hacker News and The Register covered in November 2024 impersonated 287-plus popular packages and used an Ethereum smart contract, queried via ethers.js, as a resilient command-and-control channel to fetch attacker infrastructure addresses at runtime. Those packages need a developer to install and run them; farming packages just need to exist and cross-reference each other.
What signals let registries and defenders spot bulk-publishing bots?
Bulk-publishing bots leave a consistent fingerprint regardless of which scheme they're running. The strongest signal is publish velocity from a single account or a small cluster of accounts — dozens or hundreds of packages in a window where a human maintainer would produce one or two. Second is package emptiness paired with metadata designed for a specific external system, like a tea.yaml file with no corresponding functional code. Third is dependency-graph structure: circular or densely interlinked chains between packages that share no legitimate reason to depend on each other are unusual enough to flag algorithmically. Fourth, standard across both farming and theft campaigns, is naming: names within a small edit distance of an established, high-download package, registered under a different, often brand-new publisher account with no prior history and no repository URL. None of these signals alone proves malicious intent, but a package tripping three or four at once — new account, high publish cadence, no repo link, and circular dependencies — is a strong candidate for automated review before it ever reaches a developer's node_modules.
How did npm and the ecosystem respond?
GitHub, which operates npm, responded to the scale of IndonesianFoods by tightening automated anomaly detection aimed specifically at repetitive, bulk-publish patterns tied to single accounts, and the broader package-security community pushed the conversation toward stronger publisher verification and tighter rate limits for high-velocity accounts. That's a meaningful mitigation at the registry's front door, but it's reactive by nature — it catches a pattern after enough of it has been observed, and it says nothing about a protocol-level incentive scheme like Tea's impact score, which remains exploitable by anyone willing to build a smaller, quieter dependency farm below the threshold that trips rate limiting. The gap that's left, for now, is a purpose-built check on whether a package's declared dependency relationships correspond to genuine, independently-authored software rather than a manufactured graph — something no major registry currently verifies at publish time.
How Safeguard Helps
Safeguard's Eagle classification model scores every npm publish against the metadata and behavioral indicators this style of campaign relies on — typosquat similarity within a small edit distance of top packages, newly-published packages with no repository URL, and aggressive versioning from unproven publisher accounts — and re-scores the historical corpus whenever those indicators are refined, so a package reclassified after new signal emerges surfaces as a finding within seconds. The Gold Registry blocks any artifact Eagle scores above 30, which stops both reward-farming shells and wallet-draining typosquats from ever reaching a build before a human reviews them. Eagle's bypass-detection layer also specifically watches for the evasion patterns bulk-publishing campaigns lean on, including typosquat rotation across many similar names and trust "warm-up" publishing of a few benign versions before a payload lands — the same operational pattern IndonesianFoods used to keep individual accounts under the radar while the campaign as a whole scaled past 89,000 packages.