Java NPM Registry flooded with a tidal waive of malicious packages!

Darkreading.com reported that “Amazon researchers discovered more than 150,000 malicious packages in the NPM registry, in what they called "a defining moment in supply chain security."” The November 14, 2025 article entitled "150,000 Packages Flood NPM Registry in Token Farming Campaign” (https://www.darkreading.com/application-security/150000-packages-flood-npm-registry-token-farming) included these comments:

The packages were part of a token farming campaign that targeted the tea.xyz protocol, which is a blockchain-based system designed to reward developers for open source contributions. The campaign marks the latest example of threat actors weaponizing NPM packages, such as the recent "Shai-hulud" worm, to compromise developers and conduct supply chain attacks.

But unlike previous incidents, this token farming campaign did not poison the NPM packages with "overtly malicious code," according to Chi Tran, senior security researcher at AWS, and Charlie Bacon, head of security engineering and research for Amazon Inspector. 

"Instead, they exploit the tea.xyz reward mechanism by artificially inflating package metrics through automated replication and dependency chains, allowing threat actors to extract financial benefits from the open source community," Bacon and Tran wrote in a blog post on Thursday.

While the campaign did not feature malware, the researchers explained that the token farming campaign marked "a concerning evolution in supply chain security" that poses significant risk to developers, their organizations, and the great software ecosystem.

Is anyone surprised?