Full Report
Plus: automated SBOMs, $250,000 bounties ahead interview No good idea - like rewarding open source software developers and maintainers for their contributions - goes unabused by cybercriminals, and this was the case with the Tea Protocol and two token farming campaigns.…
Analysis Summary
# Incident Report: Tea Protocol Token Farming Campaigns
## Executive Summary
The Tea Protocol, designed to reward open source developers with cryptocurrency tokens, suffered multiple abuse incidents through token farming campaigns targeting the npm registry. Attackers flooded open source package repositories with thousands of spam packages designed to inflate developer reputation scores and claim protocol rewards associated with the program's testnet phase. While this abuse occurred on a "test network" using valueless tokens, it highlighted severe vulnerabilities in incentive mechanisms that could be exploited in future supply chain attacks.
## Incident Details
- Discovery Date: April 2024 (Initial large spike) / November 2025 (Amazon discovery)
- Incident Date: Initial campaign started sometime before April 2024; major scaling occurred in 2025 (IndonesianFoods/Indonesian Tea campaigns).
- Affected Organization: Tea Protocol / Affected Registries: npm
- Sector: Cryptocurrency / Decentralized Finance (DeFi) / Software Supply Chain
- Geography: Global (npm registry abuse)
## Timeline of Events
### Initial Access
- Date/Time: Prior to April 2024 (Testnet phase)
- Vector: Abuse of DeFi/Incentive mechanism design flaw.
- Details: Fraudsters registered accounts and utilized automated scripts to flood the npm registry with packages instrumented with `"tea.yaml"` metadata pointing back to their controlled Tea accounts.
### Lateral Movement
- Not explicitly detailed as classic network lateral movement, but the 'worm-like behavior' suggests automated, rapid deployment/propagation across the npm ecosystem by coordinating bad actors.
### Data Exfiltration/Impact
- The impact was primarily the **exploitation of the incentive distribution system**, leading to the inflation of developer reputation scores and attempted fraudulent token payouts (though initially for test tokens). The scale was massive: **15,000 spam packages** in the initial April shutdown, followed by campaigns polluting **more than 1% of npm** in 2025, culminating in Amazon uncovering **hundreds of thousands of packages** linked to these campaigns in November 2025.
### Detection & Response
- **Detection:** The Tea team recognized the spamming behavior in real time, noting the "worm-like behavior" of the scripts.
- **Response Actions:**
1. The incentive program rewards were shut down for approximately three weeks in April 2024 after $\approx 15,000$ spammy packages were detected.
2. The Tea team began designing "radical changes" for the mainnet launch (early 2026) to address these design flaws, focusing on upstream verification rather than post-hoc detection.
## Attack Methodology
- **Initial Access:** Mass registration and automated package submission to leverage the reward structure.
- **Persistence:** N/A (Focused on rapid reward farming rather than long-term system access).
- **Privilege Escalation:** N/A in the traditional sense; the elevation was within the protocol's reputation/reward hierarchy through spamming.
- **Defense Evasion:** The sheer volume and automated nature of the submissions overwhelmed manual review processes ("proliferation of the [bots/scripts] ... become like a DDoS attack").
- **Credential Access:** N/A
- **Discovery:** N/A
- **Lateral Movement:** Worm-like script behavior for rapid package flooding.
- **Collection:** Focused on manipulating the protocol's metadata (`tea.yaml`) linkage to claim rewards.
- **Exfiltration:** Attempted exfiltration of earned (or potentially earnable) Tea tokens/reputation value.
- **Impact:** Financial exploitation risk and widespread poisoning of the npm registry with low-quality/spam packages.
## Impact Assessment
- Financial: Direct financial loss is not explicitly stated as the testnet tokens lacked value, but the cost of remediation and potential future losses were significant enough to warrant "radical changes." Amazon uncovered "hundreds of thousands" of packages related to subsequent campaigns.
- Data Breach: No sensitive corporate or user data breach reported; the compromise targeted the token incentive system.
- Operational: Temporary disruption to the incentive program structure and required resources devoted to clean-up and redesign. Significant pollution of the npm ecosystem.
- Reputational: Highlighted security flaws in novel incentive-based software security models.
## Indicators of Compromise
- **Network Indicators:** (None explicitly provided/defanged)
- **File Indicators:** Packages containing `"tea.yaml"` metadata linking to Tea accounts.
- **Behavioral Indicators:** Scripts exhibiting "worm-like behavior"; rapid surge in low-quality package creation; evidence of Sybil attack patterns.
## Response Actions
- Temporarily suspended the incentive program rewards (3 weeks in April 2024).
- Development of integrated security improvements for the mainnet launch, including:
- Requiring stricter ownership and provenance checks.
- Integration with PKGW for verification via cryptographic signatures and identity checks at the point of registration.
- Implementing monitoring for Sybil attacks and flagging suspicious identity surges.
## Lessons Learned
- Financial incentives, even for seemingly positive open source contributions, will be immediately abused by cybercriminals if reward mechanisms lack robust, non-bypassable verification.
- Relying on human review or post-hoc detection for scale is insufficient against automated farming attacks (described as a "DDoS attack" by bots).
- The techniques used by farming attackers (mass package pollution) are indicative of methods sophisticated threat actors (e.g., Lazarus Group) could adapt to target software supply chains directly.
## Recommendations
- Implement cryptographic signing and identity verification (e.g., via PKGW integration) *before* rewards are issued or reputation is granted.
- Integrate real-time monitoring and quarantine triggers for patterns indicative of Sybil attacks or rapid, low-quality submission surges directly into the acceptance pipeline, not after deployment.
- Ensure all incentive testnets are strictly isolated with zero pathways to real-world financial value until all control mechanisms are proven robust against mass automation.