The maintainer of Docusaurus noticed a suspicious Pull Request change in the cliui package that used an unfamiliar syntax for defining custom resolution rules for packages through npm package aliasing. This feature can be used to misinform dependency information, and Sébastien Lorber, the maintainer, was suspicious of such package names. He ran a tool called lockfile-lint, which showed warnings about resolved URLs for packages with different names. The suspicious packages were found on the public npm registry, had anonymous authors, and seemed to be part of a supply chain attack campaign aimed at creating false legitimacy for malicious packages that would be installed and later updated with malicious versions. The campaign appears to be related to mining Tea tokens through the misuse of Tea.