A sophisticated spam operation from Indonesia leveraged NPM’s open registry to hijack popular packages, inject malicious code, and self‑replicate across thousands of projects. The attack demonstrates how even well‑known libraries can become vectors for supply‑chain compromise, and it underscores the need for stricter publishing controls.