RSS

What Happened to Tea.xyz

yla922 pts0 comments

What Happened to tea.xyz | Andrew Nesbitt

On June 4th, tea.xyz launched what it had been promising since 2022: a cryptocurrency that pays open source maintainers. Within the first hour of official trading, the token fell 75% from its opening price. A week later it trades about 90% below its first-day high, the company’s GitHub org has been near-silent for six months, and the founder’s public commits are going to a different project entirely.

Their own blog post from June 8th, titled The Work Continues, concedes “the right response is not to pretend the launch went the way we wanted. It did not.” I’ve been pulling the public data: GitHub commit history, on-chain trading records, and the long paper trail tea left across the package registries.

Where tea came from

tea was founded by Max Howell, the creator of Homebrew, with Timothy Lewis. It came out of stealth in March 2022 with $8M led by Binance Labs, followed by an $8.9M seed round in December 2022. The pitch had two halves: a new package manager (the tea CLI), and a blockchain protocol that would reward the maintainers of open source packages with tokens. Howell wrote Homebrew and made nothing from it, and the pitch leaned on that history, famous Google interview rejection included.

The two halves split in October 2023, when the package manager was renamed pkgx and moved to its own GitHub org (the old teaxyz/cli repo still redirects there) while the teaxyz org kept the crypto protocol. pkgx is a decent piece of software, and it never had a token in it. But the separation was only organisational: the company and founders stayed the same, and pkgx remained part of tea’s pitch as the eventual “cryptographically aware package register” for the protocol.

The incentive design

The white paper describes a mechanism called Proof of Contribution. Every package gets a score called teaRank, computed over the dependency graph and explicitly modelled on Google’s PageRank. The more packages depend on yours, the higher your rank, and rewards scale with rank. To claim a package you add a tea.yaml file to its repository containing your wallet address.

The protocol paid out tokens in proportion to how many packages you controlled and how connected they were. Registering a thousand packages paid better than one, and declaring dependencies between them pushed their ranks higher still. Nothing in the design was costly to fake, since a package name costs nothing to register and a dependency is one line in a manifest. In February 2024 tea opened an incentivized testnet, a trial version of the protocol where points earned would convert to tokens at launch, and reported nearly 200,000 signups and 500 projects in the first week.

The spam

The farming started immediately, with pull requests on GitHub adding tea.yaml files to other people’s projects, trying to claim repos the submitter didn’t own. Howell called the PRs “disgusting and counter productive”. On the registries, Phylum documented new npm package publications climbing from mid-February 2024 to over seven times normal daily volume, with around 14,000 tea-registered packages across npm, PyPI, RubyGems, and crates.io. Sonatype counted roughly 15,000 on npm alone, with single accounts publishing hundreds of packages.

RubyGems published an incident report describing empty gems created to farm rewards, including one six-year-old gem with over 100,000 downloads whose owner retroactively added a tea.yaml to cash in on it. In response they tightened publishing limits and blocked the accounts responsible. By August 2024, DEVCLASS reported research estimating that of roughly 890,000 packages published to npm in the prior six months, around 70% were tea farming spam.

In November 2025, Endor Labs analysed the “IndonesianFoods” campaign: 43,000+ packages from at least 11 npm accounts over nearly two years, with auto-generated names from word lists. Amazon Inspector tied over 150,000 packages to the same token-farming campaign. Some coverage called it a worm, though Socket’s analysis found automation rather than self-propagation. The spam packages declared dependencies on each other to inflate teaRank, which meant installing any one of them pulled in the whole tree. An academic paper published in 2025 measures the abuse. The cleanup costs landed on npm, RubyGems, PyPI, and every mirror and security scanner downstream.

tea responded that November by halting rewards distribution for the affected period and promising redesigned anti-spam rules. Howell told The Register the protocol would slash farmers’ rewards.

The launch

In September 2025, eight months before the protocol went live, tea ran a public sale on CoinList, a site that runs token sales for crypto projects: 4 billion TEA at $0.0005 each, implying a $50M valuation for the full 100 billion token supply. The terms unlocked 100% of the tokens on day one. Token sales usually stagger when buyers can sell, releasing tokens over months or years so early buyers can’t all...

packages package from protocol token tokens

Related Articles

The Newest Instagram "Exploit" Is the Goofiest I've Seen

ssiddharth34 ptsaccount attacker email instagram seen like

Apple WWDC 2026 Livestream

nextstep32 ptsapple stream video event live feed

Claude Fable 5

Philpax30 ptsfable claude mythos model models capabilities

It's Not Just X. It's Y

mooreds21 ptslanguage model writing like grammarly human

Show HN: GoPeek – open links in live mini browser windows without new tabs

GeorgeWoff2518 ptsgopeek open browser links live mini
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.