Bookworm

Researchers have identified a two‑year spam campaign that has flooded the npm registry with tens of thousands of fake packages using a worm-like mechanism to auto-publish new packages and potentially monetize the effort via the TEA protocol; investigators say attribution is unconfirmed and registry operators have removed the packages.