Massive Automated Spam Campaign Abuses GitHub to Flood npm Registry with Thousands of Garbage Tea[.]xyz Packages

The tea[.]xyz crypto spammers are back at again, abusing the npm Registry with a massive spam campaign that has flooded it with thousands of garbage packages in the past week. The campaign is ongoing and spammers continue to publish packages as recently as a few minutes ago.

In March and April, we saw a previous onslaught of Tea[.]xyz spam, a crypto protocol that has so far been a magnet for scammers looking for a quick profit of TEA tokens. The project is led by Homebrew creator Max Howell, with the aim to incentivize open source developers and maintainers for software contributions. Howell has been heavily criticized for the architectural failings of this attempt at OSS sustainability, as the spammers it attracts have become the scourge of multiple open source package registries.

Yesterday we noticed some slow downs in our infrastructure and tracked it down to a series of spam packages with thousands of transitive dependencies that have auto-generated names. Many of the top level packages have the requisite tea.yaml file.

In 2024, the top 5 days by number of package versions published includes several from this week, a spike that corresponds to this spam campaign and the previous one.

2024-04-08 85,426
2024-04-09 64,219
2024-04-07 60,273
2024-07-08 59,511
2024-07-09 58,062

In the tea[.]xyz crypto scheme, maintainers receive awards based on the utilization of their projects. When registering a project on tea, maintainers must commit the tea.yaml constitution file to their repos directly.

The Tea protocol is based on “proof of contribution,” which comes through a .yaml file embedded in the project, but it is easily gamed:

Proof of Contribution builds on Google’s PageRank to model OSS packages and their versions as nodes in a graph. The algorithm continually evaluates how the open-source software graph changes over time.

The spammers are then incentivized to create massive dependency trees with thousands of garbage packages that are transitive dependencies of those that contain the tea[.]xyz yaml file. The spam packages reference and install previous versions, creating a spider web effect of artificially inflated numbers of dependents.

npm package author vanthuanbt26 is responsible for 451 of these spam packages, but 307 of them are still live on npm.

Spam Packages Are Automatically Generated via a Workflow on GitHub#

Many of these packages are generated using ReguideWIKI/teaSimple-vCore to artificially jack up the number of dependents.

The repositories on GitHub contain the workflows that kick off publishing:

https://github.com/f1stnpm2/odio-illo-aut/tree/main/.github/workflows

The https://github.com/f1stnpm2/odio-illo-aut/blob/main/.github/workflows/publish-npmjs.yml publishing file is triggered whenever a change is committed:

 repository_dispatch:
    types: [commit-change]

There is another workflow that triggers a new GitHub release on a CRON schedule every day (3:10 AM) https://github.com/f1stnpm2/odio-illo-aut/blob/main/.github/workflows/new-release.yml,

schedule:

- cron: '10 3 * * *'

This then kicks off https://github.com/f1stnpm2/odio-illo-aut/blob/main/.github/workflows/commit-change.yml and then the npm publish workflow. As expected, this process is all fully automated.

These activities fall outside of GitHub’s acceptable use policies, which prohibits automated excessive bulk activity and coordinated inauthentic activity, such as spamming, as well as anything incentivized by (or incentivizes inauthentic engagement with) rewards such as cryptocurrency airdrops, tokens, credits, gifts or other give-aways.

Many of the GitHub organizations responsible for these packages do not have any public members but are hubs for hundreds of repositories with auto-generated names and readme files that are direct copies of legitimate open source projects. Example: zitterorg, dramaorg.

This is a developing story. We're closely monitoring this campaign as it's still ongoing with its abuse of GitHub and npm, and we are reporting the spammers as they continue to automate the distribution of these packages.