Typosquatted npm Packages Steal Cloud and CI/CD Secrets

A coordinated npm supply chain attack has been uncovered targeting developers working with OpenSearch, ElasticSearch, and DevOps tooling, with attackers actively stealing cloud credentials and CI/CD secrets from infected systems.

The malicious packages imitate legitimate libraries by using lookalike names such as opensearch-setup and elastic-opensearch-helper, while falsely linking to the official OpenSearch GitHub repository in their metadata.

To further enhance credibility, the attacker assigned unusually high version numbers, creating the illusion of mature and widely used software.

Once installed, the packages automatically execute malicious code through npm lifecycle hooks, specifically the preinstall script, which triggers without requiring any interaction from the developer.

This allows the attacker to run code immediately during dependency installation, making the compromise both silent and effective.

The attack uses a two-stage payload system. In earlier versions, a JavaScript-based stager collects system information including hostname, operating system, Node.js version, and environment variables, then sends this data to a remote command-and-control server.

The server responds with a compressed binary payload that is executed on the host system. A unique HTTP header, “X-Supply: 1,” is used during communication, which can serve as a detection indicator in network logs.

Microsoft researchers reported that on May 28, 2026, a single threat actor using the alias “vpmdhaj” published 14 malicious packages within just four hours, leveraging typosquatting and metadata spoofing to deceive developers into installing them.

In later variants, the attacker improved stealth by eliminating direct command-and-control communication.

Instead, the malicious script downloads the legitimate Bun runtime from GitHub and uses it to execute a pre-packaged second-stage payload embedded within the npm package. This approach reduces suspicious outbound traffic and helps evade traditional detection mechanisms.

The second-stage payload is a compact Bun-compiled binary designed specifically for credential harvesting. It targets multiple platforms, including Amazon Web Services, HashiCorp Vault, GitHub Actions, and npm itself.

Typosquatted npm Packages

The malware extracts AWS credentials from environment variables, queries the EC2 Instance Metadata Service and ECS task metadata endpoints, and enumerates secrets stored in AWS Secrets Manager across multiple regions.

In newer versions, the actor replaced the noisy HTTP-C2 design with a stealthier loader that eliminates the install-time C2 round-trip entirely. 

It also collects Vault tokens and validates npm publish tokens, enabling attackers to hijack package maintainers and propagate further supply chain attacks.

A notable persistence mechanism ensures the payload continues to execute beyond initial installation. The malicious module re-launches the payload whenever it is imported in application code, allowing it to survive across development cycles and CI/CD pipeline executions.

The impact of this campaign is significant. Stolen AWS credentials can enable lateral movement across cloud environments, while compromised CI/CD tokens may allow attackers to manipulate build pipelines or inject malicious code into production systems.

The theft of npm publish tokens presents an additional risk, as attackers can push malicious updates to legitimate packages, expanding the attack’s reach.

Following responsible disclosure, the identified packages and associated accounts have been removed from the npm registry. However, organizations that may have installed these packages remain at risk.

Security teams are advised to audit systems for affected dependencies installed after May 28, 2026, and immediately rotate exposed credentials, including AWS IAM roles, Vault tokens, npm publish tokens, and GitHub Actions secrets.

Developers should temporarily disable npm install scripts using the ignore-scripts setting and carefully review dependency lock files and build logs for anomalies.

Network defenders should monitor for suspicious outbound traffic, particularly requests containing the “X-Supply: 1” header, and block known malicious domains linked to the campaign.

Additionally, reviewing CloudTrail logs for unusual API activity, such as rapid role assumptions or cross-region secret access, can help identify compromised environments.

This incident highlights the growing sophistication of software supply chain attacks, where trusted ecosystems like npm are increasingly exploited to gain access to sensitive cloud and development infrastructure.

Indicators of Compromise (IOC)

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.