Security teams at Amazon discovered the npm token farming attack after a sudden spike in strange package activity in late October. Thousands of packages appeared with no functionality at all. No meaningful code. No purpose other than to exist. By early November the count had passed one hundred fifty thousand and continued rising.
Researchers traced the flood to a coordinated effort to collect Tea tokens through the tea dot xyz protocol. Each package contained a simple file that pointed to attacker controlled blockchain wallets. The more packages they created, the more token rewards they could claim once the network moved toward mainnet.
The problem is not that the packages contained malware. The problem is that their sheer volume created a massive load on the npm registry and gave attackers a working model for far more harmful replication in the future.
A supply chain issue that grows without spreading malware
Amazon built a new detection rule and paired it with automated analysis to flag patterns across multiple accounts. Once the signals lined up, they alerted the Open Source Security Foundation. Together they confirmed that the attack was not a traditional code poisoning event. It was an automated reward extraction scheme inside a blockchain ecosystem.
Sonatype researchers reported that a similar pattern existed in 2024 but at a much smaller scale. What began as fifteen thousand packages has expanded into a wave ten times larger. This matters because attackers now see that they can replicate packages at enormous scale without being stopped quickly. The next iteration could easily mix replication with real payloads.
The real world impact across developer teams
This incident shows how blockchain reward models can influence behavior far outside the blockchain itself. A system that awards tokens for open source activity becomes a target for people who want free rewards. That incentive feeds automation. Automation feeds volume. Volume overwhelms registries and wastes the time of developers who rely on trusted packages.
The attack also shows a shift in threat design. Instead of embedding malicious code, some attackers will now focus on overwhelming the ecosystem to earn future value. This means developers need stronger dependency checks. Registries need better filters. And blockchain incentive systems need fraud controls or they become entry points for widespread automation abuse.
Where it goes from here
The npm token farming attack will not be the last of its kind. Reward driven attacks will continue as long as people can exchange tokens for financial gain. Supply chain security teams expect more mixing of automated replication, reward abuse, and opportunistic payloads.
The lesson is simple. Volume can be as dangerous as malware. And the systems that tie blockchain incentives to open source activity need stronger protections before they scale.
Related blockchain stories on Laterstack:
Crypto trail exposes Streameast, world’s biggest illegal sports streaming empire
Crypto markets stumble as AI bets and Wall Street confidence fade