CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership May 29, 2026

Typosquatted npm Packages Steal Cloud and CI/CD Secrets From Developer Systems

Cybersecurity News Archived May 29, 2026 ✓ Full text saved

A new wave of malicious software packages has been caught stealing cloud credentials and CI/CD pipeline secrets from developer machines, raising fresh alarms about the security of the open-source software supply chain. The attack, uncovered on May 28, 2026, shows just how easy it has become for bad actors to slip dangerous code into the […] The post Typosquatted npm Packages Steal Cloud and CI/CD Secrets From Developer Systems appeared first on Cyber Security News .

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News Typosquatted npm Packages Steal Cloud and CI/CD Secrets From Developer Systems By Tushar Subhra Dutta May 29, 2026 A new wave of malicious software packages has been caught stealing cloud credentials and CI/CD pipeline secrets from developer machines, raising fresh alarms about the security of the open-source software supply chain. The attack, uncovered on May 28, 2026, shows just how easy it has become for bad actors to slip dangerous code into the hands of unsuspecting developers through a simple naming trick that deliberately exploits human error at scale and surprising speed. The campaign revolves around a technique called typosquatting, where attackers publish packages with names nearly identical to popular, trusted libraries. In this case, 14 malicious packages were uploaded to the npm registry within a four-hour window, all mimicking widely used tools related to OpenSearch, ElasticSearch, DevOps, and environment-configuration libraries. Once installed, these packages immediately begin collecting sensitive credentials and sending them to attacker-controlled servers without any visible sign of compromise. Microsoft analysts identified the campaign and noted that all 14 packages were published by a single threat actor operating under the maintainer alias vpmdhaj, registered with the email a39155771@gmail[.]com.  Microsoft said in a report shared with Cyber Security News (CSN) that the packages ship the same credential-harvesting payload, a roughly 195 KB Bun-compiled binary that targets cloud and CI/CD environments. The packages also used spoofed metadata, setting their homepage and repository fields to point at the legitimate OpenSearch project to appear trustworthy at a glance. vpmdhaj npm supply chain attack flow (Source – Microsoft) The stolen data includes AWS credentials, HashiCorp Vault tokens, GitHub Actions tokens, and npm publish tokens. The last item is particularly worrying because stolen npm tokens could allow the attacker to push malicious updates to other packages, turning one compromised developer’s workstation into a launchpad for a much broader supply chain attack. The scope of what these packages target, spanning multiple cloud platforms, CI/CD systems, and the npm registry itself, makes this one of the more sophisticated npm-based attacks seen recently. Typosquatted npm Packages The attack begins the moment a developer runs npm install. Every package in the cluster uses an automatic lifecycle hook that triggers malicious code without any additional action required from the victim. npm.js package page (Source – Microsoft) Two variants of this stager were observed: an older generation that contacts an external command-and-control server to fetch its payload, and a newer, stealthier generation that silently downloads the legitimate Bun runtime and uses it to run a pre-bundled malicious script hidden inside the npm tarball. The newer variant is especially concerning because it avoids obvious outbound network traffic that might trigger security monitoring tools. Instead of reaching out to a suspicious server at install time, it quietly leverages a legitimate runtime to execute its payload. The second-stage binary then scans across 16 or more AWS regions, queries the EC2 metadata service, reads environment variables, and checks whether it is running inside a GitHub Actions pipeline to prioritize credential collection based on available targets. Stolen Tokens Enable Downstream Supply Chain Expansion What separates this campaign from typical credential theft is the specific targeting of npm publish tokens. If an attacker gains the ability to publish packages on behalf of a legitimate developer, they can inject malicious code into trusted libraries without the owner’s knowledge, expanding the campaign far beyond its original reach. This creates a downstream risk that can ripple out to thousands of other projects well beyond the initial 14 malicious packages in this cluster. Security teams should take immediate action if any of the affected packages were installed on or after May 28, 2026. The recommended steps include rotating all AWS, Vault, npm, and GitHub credentials that may have been exposed, blocking egress to the attacker’s C2 domain at the firewall and DNS level, and reviewing CI/CD build logs for unexpected network connections or unusual Bun runtime downloads initiated by Node.js processes. Running npm install with the –ignore-scripts flag can also prevent these lifecycle hooks from executing entirely, stopping the attack at its earliest entry point before any payload reaches disk. Indicators of Compromise (IoCs):- Type Indicator Description npm Package @vpmdhaj/elastic-helper (1.0.7269) Typosquat – ElasticSearch/OpenSearch helper npm Package @vpmdhaj/devops-tools (1.0.7267) Typosquat – DevOps tools / OpenSearch setup npm Package @vpmdhaj/opensearch-setup (1.0.7267) Typosquat – OpenSearch setup utility npm Package @vpmdhaj/search-setup (1.0.7268) Typosquat – search engine setup npm Package opensearch-security-scanner (1.0.10) Unscoped lookalike – security scanner npm Package opensearch-setup (1.0.9103) Unscoped lookalike – spoofs opensearch-project repo URL npm Package opensearch-setup-tool (1.0.9108) Unscoped lookalike – spoofs opensearch-project repo URL npm Package opensearch-config-utility (1.0.9106) Unscoped lookalike – spoofs opensearch-project repo URL npm Package search-engine-setup (1.0.9108) Unscoped lookalike – spoofs opensearch-project repo URL npm Package search-cluster-setup (1.0.9104) Unscoped lookalike – spoofs opensearch-project repo URL npm Package elastic-opensearch-helper (1.0.9108) Unscoped lookalike – spoofs opensearch-project repo URL npm Package vpmdhaj-opensearch-setup (1.0.9102) Unscoped – author-named OpenSearch setup npm Package env-config-manager (2.1.9201) Typosquat – dotenv-style config manager npm Package app-config-utility (1.0.9300) Typosquat – generic app config utility npm Maintainer vpmdhaj Threat actor publishing all 14 malicious packages Email a39155771@gmail[.]com Maintainer contact email registered on npm Domain aab.sportsontheweb[.]net Stage-1 C2 server used by Gen-1 packages URL hxxp://aab.sportsontheweb[.]net/x.php Beacon and stage-2 payload delivery endpoint (port 80) HTTP Header X-Supply: 1 Campaign-unique marker for proxy/firewall detection IP Address 169.254.169.254 AWS EC2 IMDSv2 endpoint queried by stage-2 payload IP Address 169.254.170.2 AWS ECS task metadata endpoint queried by stage-2 payload SHA-256 638788AFC4F1B5860A328312CAF5895ABD5F5632D28A4F2A85B09076E270D15D preinstall.js – Gen-1 stager SHA-256 77D92EFE7AF3547F71FD41D4A884872D66B1BE9499EAA637E91EAC866911694D setup.mjs – Gen-2 stager SHA-256 BFA149694EC6411C23936311A999163ADE54D6F38E2F4B0E3CFB8CB67BD7CFAA payload.gz – gzipped Bun stage-2 binary Filename opensearch_init.js Bun-compiled stage-2 credential harvester (~195 KB) Filename ai_init.js Alternate stage-2 filename used by some Gen-2 packages Filename payload.bin Dropped stage-2 binary in node_modules install directory Environment Variable _DAEMONIZED=1 Marker set by stager when spawning detached payload process Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News Attackers Can Exploit BadHost to Access Sensitive AI Agent Server Endpoints WhatsApp Chat Histories Stored Unencrypted on macOS and iOS Critical Roundcube Webmail Vulnerability Let Attackers Inject SQL Queries Hackers Backdoor Popular art-template npm Package to Launch Watering-Hole Attacks Russian Threat Groups Use RDP, VPN, Supply Chain Attacks, and Social Engineering for Initial Access Latest News Cyber Security News Hackers Use Fake Video Player Updates to Deploy Miner and RAT Malware Cyber Security News Hackers Use Fake Adobe Document Cloud Pages to Deliver ScreenConnect Malware Cyber Security News Legitimate-Looking Codex Remote UI Steals OpenAI Codex Authentication Tokens Cyber Security News Oracle Critical Security Update – Patch for 35 New Vulnerabilities Across Products Cyber Security News MicrosoftSystem64 Malware Uses HuggingFace Datasets for Stealthy Data Exfiltration
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    May 29, 2026
    Archived
    May 29, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗