tea.xyz Spam Plagues npm and RubyGems Package Registries

Tea.xyz spam is becoming the scourge of the open source ecosystem, as the crypto protocol has so far been a magnet for scammers looking for a quick profit of TEA tokens. The project, led by Homebrew creator Max Howell, aims to incentivize open source developers and maintainers for software contributions.

In February and March of this year, tea.xzy crypto spam targeted open source projects on GitHub, flooding projects with spam PRs and infuriating maintainers who had to clean up the mess. At that time Howell called the spamming “disgusting and counter productive” to their mission. He said he was “furious about it,” and promised to take steps to make it more difficult for their users to perform automated spamming in order to “reduce the burden to zero on open source maintainers.”

Automated Tea.xyz Spam Pollutes Public Package Registries with Garbage Packages#

Tea.xyz spammers are also abusing package registries to publish garbage packages as “proof of contribution” to improve their Tea rankings. Mostly notably, this spam has recently driven up the number of new packages on npm beyond the usual daily number.

Phylum researched this uptick in new packages (not new versions of existing packages) and found that it peaked at over 7x the number of daily new package typically seen. They monitored the Tea npm packages and the transitive Tea npm packages, representing their increase in this graph.

Phylum Isolated a campaign of thousands of dependencies that were automatically generated using a script on GitHub. The spam was so pervasive that they initially suspected that the Tea protocol had incentivized a massive automated crypto farming campaign. Phylum found 14,000 packages registered with the Tea protocol across all open source ecosystems, with npm the hardest hit.

In a post titled The Implications of Crypto Rewards on RubyGems.org the Ruby community’s gem hosting service condemned the spamming as an exploitative practice, after an investigation into the proliferation of empty gems. The cleanup process caused temporary delays in gem index updates, and the registry took strict actions against accounts created solely for spamming.

Maciej Mensfeld, a member of the RubyGems security team, voiced serious concerns about the community disruption caused by the Tea.xyz spam gems:

While rewarding open-source contributions may seem noble, it can lead to unintended consequences, affecting RubyGems.org and other platforms. At RubyGems.org, we’ve encountered exploitation attempts that divert our resources and undermine trust and collaboration within our community. We remain committed to maintaining the integrity of RubyGems.org and supporting the broader open-source community, urging others to refrain from exploitative practices like the one described in this incident report.

The incident report states that RubyGems.org will block and revoke access from any accounts found to be violating terms or abusing the service.

At Socket, we have also found Tea.xyz spam packages on PyPI, all with the same author. Although the packages flooding these public registries have so far not been found to contain anything malicious, they are a serial drain on registry maintainers, who are often tasked with investigating these spam campaigns and cleaning them up.

As these spam problems persist, it’s becoming increasingly apparent that the architecture of this crypto project is flawed by design, exacerbating the challenges of sustaining open source software rather than addressing them. The notion of receiving rewards based on a project’s influence and impact has so far only siphoned valuable time from the open source community, acting more as a burden than a support system, and ultimately detracting from the collaborative ethos of open source.

Although this project aims to incentivize contributions, so far it appears to be exploiting the ecosystem employing a vague concept that attracts more spammers than actual open source maintainers.