A self-spreading package published on npm spams the registry by spawning new packages every every seven seconds, creating large volumes of junk.

The worm, dubbed ‘IndonesianFoods,’ due to its distinctive package naming scheme that picks random Indonesian names and food terms, has published over 100,000 packages according to Sonatype, and the number is growing exponentially.

Although the packages do not have a malicious component for developers (e.g., stealing data, backdooring hosts), this could change with an update that introduces a dangerous payload.