We have repeatedly come across cases involving open source registries like npm and PyPI being flooded with thousands of packages in a short span of time. Typically, such surges in publishing activity are related to malware, dependency confusion PoCs, or just ...annoying SEO spam leveraging these registries.
It's not every day though that we see a virtually benign flood of packages that otherwise aren't conducting anything dangerous — well then, why the flood?
Article Link: Devs flood npm with 15,000 packages to reward themselves with Tea 'tokens'