Typosquatted npm Packages Steal Cloud and CI/CD Secrets From Developer Systems
Cybersecurity NewsArchived May 29, 2026✓ Full text saved
A new wave of malicious software packages has been caught stealing cloud credentials and CI/CD pipeline secrets from developer machines, raising fresh alarms about the security of the open-source software supply chain. The attack, uncovered on May 28, 2026, shows just how easy it has become for bad actors to slip dangerous code into the […] The post Typosquatted npm Packages Steal Cloud and CI/CD Secrets From Developer Systems appeared first on Cyber Security News .
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeCyber Security News
Typosquatted npm Packages Steal Cloud and CI/CD Secrets From Developer Systems
By Tushar Subhra Dutta
May 29, 2026
A new wave of malicious software packages has been caught stealing cloud credentials and CI/CD pipeline secrets from developer machines, raising fresh alarms about the security of the open-source software supply chain.
The attack, uncovered on May 28, 2026, shows just how easy it has become for bad actors to slip dangerous code into the hands of unsuspecting developers through a simple naming trick that deliberately exploits human error at scale and surprising speed.
The campaign revolves around a technique called typosquatting, where attackers publish packages with names nearly identical to popular, trusted libraries.
In this case, 14 malicious packages were uploaded to the npm registry within a four-hour window, all mimicking widely used tools related to OpenSearch, ElasticSearch, DevOps, and environment-configuration libraries.
Once installed, these packages immediately begin collecting sensitive credentials and sending them to attacker-controlled servers without any visible sign of compromise.
Microsoft analysts identified the campaign and noted that all 14 packages were published by a single threat actor operating under the maintainer alias vpmdhaj, registered with the email a39155771@gmail[.]com.
Microsoft said in a report shared with Cyber Security News (CSN) that the packages ship the same credential-harvesting payload, a roughly 195 KB Bun-compiled binary that targets cloud and CI/CD environments.
The packages also used spoofed metadata, setting their homepage and repository fields to point at the legitimate OpenSearch project to appear trustworthy at a glance.
vpmdhaj npm supply chain attack flow (Source – Microsoft)
The stolen data includes AWS credentials, HashiCorp Vault tokens, GitHub Actions tokens, and npm publish tokens.
The last item is particularly worrying because stolen npm tokens could allow the attacker to push malicious updates to other packages, turning one compromised developer’s workstation into a launchpad for a much broader supply chain attack.
The scope of what these packages target, spanning multiple cloud platforms, CI/CD systems, and the npm registry itself, makes this one of the more sophisticated npm-based attacks seen recently.
Typosquatted npm Packages
The attack begins the moment a developer runs npm install. Every package in the cluster uses an automatic lifecycle hook that triggers malicious code without any additional action required from the victim.
npm.js package page (Source – Microsoft)
Two variants of this stager were observed: an older generation that contacts an external command-and-control server to fetch its payload, and a newer, stealthier generation that silently downloads the legitimate Bun runtime and uses it to run a pre-bundled malicious script hidden inside the npm tarball.
The newer variant is especially concerning because it avoids obvious outbound network traffic that might trigger security monitoring tools. Instead of reaching out to a suspicious server at install time, it quietly leverages a legitimate runtime to execute its payload.
The second-stage binary then scans across 16 or more AWS regions, queries the EC2 metadata service, reads environment variables, and checks whether it is running inside a GitHub Actions pipeline to prioritize credential collection based on available targets.
Stolen Tokens Enable Downstream Supply Chain Expansion
What separates this campaign from typical credential theft is the specific targeting of npm publish tokens.
If an attacker gains the ability to publish packages on behalf of a legitimate developer, they can inject malicious code into trusted libraries without the owner’s knowledge, expanding the campaign far beyond its original reach.
This creates a downstream risk that can ripple out to thousands of other projects well beyond the initial 14 malicious packages in this cluster.
Security teams should take immediate action if any of the affected packages were installed on or after May 28, 2026.
The recommended steps include rotating all AWS, Vault, npm, and GitHub credentials that may have been exposed, blocking egress to the attacker’s C2 domain at the firewall and DNS level, and reviewing CI/CD build logs for unexpected network connections or unusual Bun runtime downloads initiated by Node.js processes.
Running npm install with the –ignore-scripts flag can also prevent these lifecycle hooks from executing entirely, stopping the attack at its earliest entry point before any payload reaches disk.
Indicators of Compromise (IoCs):-
Type Indicator Description
npm Package @vpmdhaj/elastic-helper (1.0.7269) Typosquat – ElasticSearch/OpenSearch helper
npm Package @vpmdhaj/devops-tools (1.0.7267) Typosquat – DevOps tools / OpenSearch setup
npm Package @vpmdhaj/opensearch-setup (1.0.7267) Typosquat – OpenSearch setup utility
npm Package @vpmdhaj/search-setup (1.0.7268) Typosquat – search engine setup
npm Package opensearch-security-scanner (1.0.10) Unscoped lookalike – security scanner
npm Package opensearch-setup (1.0.9103) Unscoped lookalike – spoofs opensearch-project repo URL
npm Package opensearch-setup-tool (1.0.9108) Unscoped lookalike – spoofs opensearch-project repo URL
npm Package opensearch-config-utility (1.0.9106) Unscoped lookalike – spoofs opensearch-project repo URL
npm Package search-engine-setup (1.0.9108) Unscoped lookalike – spoofs opensearch-project repo URL
npm Package search-cluster-setup (1.0.9104) Unscoped lookalike – spoofs opensearch-project repo URL
npm Package elastic-opensearch-helper (1.0.9108) Unscoped lookalike – spoofs opensearch-project repo URL
npm Package vpmdhaj-opensearch-setup (1.0.9102) Unscoped – author-named OpenSearch setup
npm Package env-config-manager (2.1.9201) Typosquat – dotenv-style config manager
npm Package app-config-utility (1.0.9300) Typosquat – generic app config utility
npm Maintainer vpmdhaj Threat actor publishing all 14 malicious packages
Email a39155771@gmail[.]com Maintainer contact email registered on npm
Domain aab.sportsontheweb[.]net Stage-1 C2 server used by Gen-1 packages
URL hxxp://aab.sportsontheweb[.]net/x.php Beacon and stage-2 payload delivery endpoint (port 80)
HTTP Header X-Supply: 1 Campaign-unique marker for proxy/firewall detection
IP Address 169.254.169.254 AWS EC2 IMDSv2 endpoint queried by stage-2 payload
IP Address 169.254.170.2 AWS ECS task metadata endpoint queried by stage-2 payload
SHA-256 638788AFC4F1B5860A328312CAF5895ABD5F5632D28A4F2A85B09076E270D15D preinstall.js – Gen-1 stager
SHA-256 77D92EFE7AF3547F71FD41D4A884872D66B1BE9499EAA637E91EAC866911694D setup.mjs – Gen-2 stager
SHA-256 BFA149694EC6411C23936311A999163ADE54D6F38E2F4B0E3CFB8CB67BD7CFAA payload.gz – gzipped Bun stage-2 binary
Filename opensearch_init.js Bun-compiled stage-2 credential harvester (~195 KB)
Filename ai_init.js Alternate stage-2 filename used by some Gen-2 packages
Filename payload.bin Dropped stage-2 binary in node_modules install directory
Environment Variable _DAEMONIZED=1 Marker set by stager when spawning detached payload process
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
Tags
cyber security
cyber security news
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Tushar Subhra Dutta
Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics.
Trending News
Attackers Can Exploit BadHost to Access Sensitive AI Agent Server Endpoints
WhatsApp Chat Histories Stored Unencrypted on macOS and iOS
Critical Roundcube Webmail Vulnerability Let Attackers Inject SQL Queries
Hackers Backdoor Popular art-template npm Package to Launch Watering-Hole Attacks
Russian Threat Groups Use RDP, VPN, Supply Chain Attacks, and Social Engineering for Initial Access
Latest News
Cyber Security News
Hackers Use Fake Video Player Updates to Deploy Miner and RAT Malware
Cyber Security News
Hackers Use Fake Adobe Document Cloud Pages to Deliver ScreenConnect Malware
Cyber Security News
Legitimate-Looking Codex Remote UI Steals OpenAI Codex Authentication Tokens
Cyber Security News
Oracle Critical Security Update – Patch for 35 New Vulnerabilities Across Products
Cyber Security News
MicrosoftSystem64 Malware Uses HuggingFace Datasets for Stealthy Data Exfiltration