{“lastseen”:”2026-05-29T03:58:40″,”description”:”In this article\\n\\n 1. Attack chain overview\\n 1. The lure: typosquats and spoofed metadata\\n 2. Execution: npm lifecycle hook abuse\\n 3. Gen-1 stager: HTTP C2 beacon and payload drop\\n 4. Gen-2 stager: abusing the legitimate Bun runtime as a loader\\n 5. Credential theft\\n 6. Impact and blast radius\\n 2. Mitigation and protection guidance\\n 1. How Microsoft Defender helps\\n 2. Microsoft Defender XDR Detections\\n 3. Advanced hunting\\n 4. Indicators of Compromise (IOC)\\n 3. References\\n 4. Learn more\\n\\n\\n\\nMicrosoft has identified an active supply chain attack targeting the npm package ecosystem. On May 28, 2026, a single threat actor operating under the newly created maintainer alias vpmdhaj (a39155771@gmail[.]com) published 14 malicious packages within a four-hour window. The packages typosquat well-known OpenSearch, ElasticSearch, DevOps, and environment-configuration libraries, and several spoof the upstream OpenSearch project’s repository URL in their package.json to appear legitimate. Once installed, the packages harvest AWS credentials, HashiCorp Vault tokens, and CI\/CD pipeline secrets from the host environment.\\n\\nAll packages in the cluster ship the same install-time stager and the same Bun-compiled second-stage payload – a ~195 KB credential harvester purpose-built for cloud and CI\/CD environments. The payload runs silently during npm install and targets credentials across Amazon Web Services, HashiCorp Vault, GitHub Actions, and the npm registry itself, enabling both cloud lateral movement and downstream supply-chain pivoting through stolen npm publish tokens. Based on our investigation and feedback to the npm team these repos and users were taken down.\\n\\nKey capabilities observed in the campaign include automatic execution via npm lifecycle hooks, two distinct stager generations (an HTTP-C2 variant and a stealthier variant that abuses the legitimate Bun runtime distribution), AWS Instance Metadata Service (IMDSv2) and ECS task-role theft, AWS Secrets Manager enumeration across 16+ regions, HashiCorp Vault token harvesting, and theft of npm publish tokens for follow-on supply-chain attacks.\\n\\n## Attack chain overview\\n\\nThe vpmdhaj cluster spans 14 scoped and unscoped packages that all mimic the @opensearch \/ @elastic ecosystem. The attack proceeds through:\\n\\n * Publication of 14 typosquat packages under a single actor identity\\n * Automatic payload execution through a preinstall hook during npm install\\n * Execution chain (Gen-1): node -\\u003e preinstall.js -\\u003e HTTP C2 -\\u003e payload.bin (detached)\\n * Execution chain (Gen-2): node -\\u003e setup.mjs -\\u003e download legitimate Bun runtime -\\u003e run bundled stage-2\\n * Cloud credential theft (AWS IMDS, ECS metadata, Vault, Secrets Manager) and npm publish-token theft for downstream supply-chain pivot\\n\\nFigure 1. vpmdhaj npm supply chain attack flow.\\n\\n### The lure: typosquats and spoofed metadata\\n\\nThe actor adopted three social-engineering techniques designed to drive installs by mistake or trust transference. First, lookalike naming – names such as opensearch-setup, opensearch-setup-tool, opensearch-config-utility, elastic-opensearch-helper, search-engine-setup, and env-config-manager mimic well-known cluster-management and configuration libraries. Second, spoofed upstream metadata – every unscoped package sets its package.json homepage, repository, and bugs fields to the legitimate github.com\/opensearch-project\/opensearch-js project. Third, inflated version numbers – releases jump straight to 1.0.7265, 1.0.9108, or 2.1.9201 to suggest a long, mature release history.\\n\\nFigure 2. npm.js package page for @vpmdhaj\/elastic-helper showing the inflated 1.0.7269 version and the spoofed OpenSearch repository link.\\n\\n### Execution: npm lifecycle hook abuse\\n\\nEvery package in the cluster declares an automatic install-time hook in package.json. The malicious code executes the moment a victim runs npm install – no require() from victim code is needed. Two stager variants were observed:\\n\\n * Gen-1 (versions \\u003c= 1.0.7265): install, preinstall, and postinstall hooks all invoke preinstall.js \/ index.js\\n * Gen-2 (versions \\u003e= 1.0.7266): a single preinstall hook invokes setup.mjs (newer, stealthier loader)\\n\\nFigure 3. The malicious package.json. A single preinstall hook is enough to gain code execution on every npm install.\\n\\n### Gen-1 stager: HTTP C2 beacon and payload drop\\n\\npreinstall.js collects rich host context – hostname, platform, arch, Node version, USER\/USERNAME, cwd, INIT_CWD, npm_package_name, npm_package_version – base64-encodes the JSON, and POSTs it to the actor’s C2 with a campaign-unique header X-Supply: 1. The same C2 endpoint then serves a gunzip-compressed second-stage binary, which is written to payload.bin in the package install directory, chmod 0755’d, and spawned detached.\\n\\nFigure 4. Stage-1 C2 beacon. The X-Supply: 1 header is a high-confidence detection signal in proxy logs. Figure 5. Stage-2 download, decompression, +x, and detached spawn. __DAEMONIZED=1 lets the payload distinguish itself from npm.\\n\\nThe package’s index.js re-launches the same payload.bin on every subsequent require() of the module – a quiet persistence mechanism that survives across CI build stages and developer rebuild loops. The module also exports a benign-looking object falsely identifying itself as @opensearch\/setup.\\n\\nFigure 6. Persistence shim. The malicious module exports benign-looking metadata and silently re-spawns the payload every time it is require()’d.\\n\\n### Gen-2 stager: abusing the legitimate Bun runtime as a loader\\n\\nIn newer versions, the actor replaced the noisy HTTP-C2 design with a stealthier loader that eliminates the install-time C2 round-trip entirely. setup.mjs (a) checks whether bun is already present on the host; (b) if not, downloads the legitimate Bun runtime v1.3.13 from github.com\/oven-sh\/bun\/releases for the correct platform\/arch (Linux x64\/musl\/aarch64, macOS x64\/arm64, Windows x64\/arm64); (c) extracts the ZIP using unzip, PowerShell Expand-Archive, or a hand-rolled ZIP parser; and (d) executes the pre-bundled second-stage payload (opensearch_init.js or ai_init.js) that ships inside the npm tarball.\\n\\nThis design reduces visibility for defenders that primarily monitor unusual outbound traffic during package installation.\\n\\nFigure 7. Gen-2 loader. The actor abuses a legitimate GitHub Release of the Bun runtime to execute a pre-bundled payload that ships inside the npm tarball.\\n\\n### Credential theft\\n\\nThe second-stage binary is a single-file Bun-compiled JavaScript binary of approximately 195 KB, purpose-built for cloud and CI\/CD secret theft. Static review of the bundle identifies routines that target secrets across five platforms:\\n\\n * AWS: queries EC2 Instance Metadata Service v2 (169.254.169[.]254), Elastic Container Service task metadata (169.254.170[.]2), reads AWS env credentials, calls STS GetCallerIdentity \/ AssumeRole, and enumerates Secrets Manager (ListSecrets \/ GetSecretValue) across 16+ regions with a bundled SigV4 signer.\\n * HashiCorp Vault: reads VAULT_TOKEN and VAULT_AUTH_TOKEN environment variables.\\n * npm: validates tokens through \/-\/whoami and enumerates publish access through \/-\/npm\/v1\/tokens.\\n * GitHub Actions: collects GITHUB_REPOSITORY and RUNNER_OS context to identify build environments for prioritized exploitation.\\n * CI\/CD environment: respects __DAEMONIZED=1 to avoid re-entry, and explicitly resets CI=false to mislead build-aware code paths.\\n\\nFigure 8. String evidence from the Bun-compiled stage-2 payload. The same binary is dropped by both Gen-1 and Gen-2 stagers.\\n\\n### Impact and blast radius\\n\\n * Stolen AWS STS sessions and Secrets Manager material enable cloud lateral movement and data theft.\\n * Stolen GitHub Actions tokens enable repo manipulation and CI\/CD pipeline tampering.\\n * Stolen npm publish tokens enable downstream supply-chain pivoting – pushing malicious updates to packages owned by hijacked maintainer identities, expanding the campaign beyond the initial 14 packages.\\n * All 14 packages target the OpenSearch \/ ElasticSearch ecosystem keywords, suggesting the actor likely chose a developer audience to have AWS and Elastic cloud credentials in their environments.\\n\\n\\n\\n## Mitigation and protection guidance\\n\\nMicrosoft recommends the following mitigations to reduce the impact of this threat:\\n\\n * Identify systems that installed or built affected package versions on or after May 28, 2026.\\n * Pin known-good package versions where possible and avoid automatic dependency upgrades until validation is complete.\\n * Disable pre- and post-installation script execution by running npm install with -ignore-scripts (or setting npm config set ignore-scripts true globally). Apply equivalent settings for pnpm and yarn.\\n * Rotate AWS IAM\/STS, HashiCorp Vault, npm publish, and GitHub Actions tokens that may have been exposed to affected runners or developer workstations.\\n * Block egress to aab.sportsontheweb[.]net at proxy, firewall, and DNS layers. Alert on any HTTP request carrying the header X-Supply: 1.\\n * Hunt CloudTrail for anomalous sts:GetCallerIdentity rapidly followed by sts:AssumeRole, and for secretsmanager:ListSecrets or GetSecretValue in cross-region succession from build infrastructure or developer IP space.\\n * Audit CI\/CD logs for unexpected outbound network connections, Bun runtime downloads from GitHub Releases by Node.js processes, and detached child processes spawned with __DAEMONIZED=1.\\n * Review npm package lockfiles (package-lock.json, yarn.lock, pnpm-lock.yaml), build logs, and artifact provenance for evidence of compromised package versions.\\n * Enable cloud-delivered protection in Microsoft Defender Antivirus or equivalent antivirus protection.\\n * Use Microsoft Defender XDR to investigate suspicious activity across endpoints, identities, cloud apps, and developer environments.\\n * Use Microsoft Defender Vulnerability Management to search for the affected packages across your estate.\\n\\n\\n\\n### How Microsoft Defender helps\\n\\nMicrosoft Defender Antivirus detects and blocks the malicious components on access. During reproduction in our analysis environment, setup.mjs was automatically quarantined the moment the tarball was extracted to disk.\\n\\n_Figure 9. Microsoft Defender auto-quarantine of setup.mjs at extract time._\\n\\n### Microsoft Defender XDR Detections\\n\\nMicrosoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, and apps to provide integrated protection against attacks like the threat discussed in this blog.\\n\\n**Tactic**| **Observed activity**| **Microsoft Defender coverage** \\n—|—|— \\n**Initial Access \/ Execution******| Suspicious script execution during npm install or package lifecycle activity| **Microsoft Defender Antivirus \\n** -Trojan:JS\/ShaiWorm \\n-Trojan:JS\/ObfusNpmJs \\n-Backdoor:JS\/SupplyChain \\n \\n**Microsoft Defender for Endpoint \\n** – Suspicious usage of Bun runtime \\n- Suspicious installation of Bun runtime \\n- Suspicious Node.js process behavior \\n \\n**Microsoft Defender XDR \\n** – Suspicious file creation in temporary directory by node.exe \\n- Suspicious Bun execution from Node.js process \\n**Credential Access**| Potential harvesting of AWS, Vault, GitHub Actions, and npm tokens from CI\/CD runners| **Microsoft Defender for Endpoint \\n** – Credential access attempt \\n- Suspicious cloud credential access by npm-cached binary \\n- AWS Instance Metadata Service access from suspicious process \\n \\n**Microsoft Defender for Cloud \\n** – Possible IMDS abuse from container workload \\n- Anomalous Secrets Manager enumeration across regions \\n**Command and Control******| Outbound HTTP beacon with X-Supply: 1 header to attacker-controlled C2| **Microsoft Defender for Endpoint \\n** – Connection to a custom network indicator (aab.sportsontheweb[.]net) \\n- Suspicious outbound HTTP from npm install context \\n**Persistence**| Re-spawn of payload.bin on every require() of compromised package| **Microsoft Defender for Endpoint \\n** – Detached child process spawned by node.exe with __DAEMONIZED=1 \\n \\n### Advanced hunting\\n\\nThe following sample queries let you search for a week’s worth of events. To explore up to 30 days of raw data, go to the Advanced Hunting page \\u003e Query tab, and update the time range to Last 30 days.\\n\\n**Hunt for suspicious npm lifecycle script execution involving vpmdhaj packages**.\\n \\n \\n DeviceProcessEvents\\n | where Timestamp \\u003e ago(7d)\\n | where FileName in~ (\\”node.exe\\”, \\”node\\”, \\”npm.cmd\\”, \\”npm.exe\\”, \\”npx.cmd\\”, \\”npx.exe\\”)\\n | where ProcessCommandLine has_any (\\”preinstall\\”, \\”postinstall\\”, \\”install\\”)\\n | where ProcessCommandLine has_any (\\n \\”@vpmdhaj\\”, \\”opensearch-setup\\”, \\”opensearch-setup-tool\\”,\\n \\”opensearch-config-utility\\”, \\”opensearch-security-scanner\\”,\\n \\”search-engine-setup\\”, \\”search-cluster-setup\\”,\\n \\”elastic-opensearch-helper\\”, \\”vpmdhaj-opensearch-setup\\”,\\n \\”env-config-manager\\”, \\”app-config-utility\\”)\\n | project Timestamp, DeviceName, FileName, ProcessCommandLine,\\n InitiatingProcessFileName, InitiatingProcessCommandLine, AccountName\\n \\n\\n**Hunt for the stage-2 payload artifact on disk**.\\n \\n \\n DeviceFileEvents\\n | where Timestamp \\u003e ago(7d)\\n | where FileName =~ \\”payload.bin\\”\\n | where FolderPath has \\”node_modules\\”\\n | project Timestamp, DeviceName, FolderPath, FileName,\\n InitiatingProcessFileName, InitiatingProcessCommandLine, AccountName\\n \\n\\n**Hunt for detached payload execution with the campaign environment marker**.\\n \\n \\n DeviceProcessEvents\\n | where Timestamp \\u003e ago(7d)\\n | where ProcessCommandLine has \\”__DAEMONIZED=1\\”\\n or InitiatingProcessCommandLine has \\”__DAEMONIZED=1\\”\\n | project Timestamp, DeviceName, FileName, ProcessCommandLine,\\n InitiatingProcessFileName, InitiatingProcessCommandLine\\n \\n\\n**Hunt for Gen-2 loader: Bun runtime download from GitHub Releases by Node.js**.\\n \\n \\n DeviceNetworkEvents\\n | where Timestamp \\u003e ago(7d)\\n | where InitiatingProcessFileName in~ (\\”node.exe\\”, \\”node\\”)\\n | where RemoteUrl has \\”github.com\/oven-sh\/bun\/releases\/download\\”\\n | project Timestamp, DeviceName, RemoteUrl, RemoteIP,\\n InitiatingProcessFileName, InitiatingProcessCommandLine, AccountName\\n \\n\\n**Hunt for C2 beacon to attacker infrastructure**.\\n \\n \\n DeviceNetworkEvents\\n | where Timestamp \\u003e ago(30d)\\n | where RemoteUrl has \\”aab.sportsontheweb.net\\”\\n or RemoteUrl has \\”sportsontheweb.net\\”\\n | project Timestamp, DeviceName, RemoteUrl, RemoteIP,\\n InitiatingProcessFileName, InitiatingProcessCommandLine, AccountName\\n \\n\\n**Hunt for AWS IMDS \/ ECS metadata access from Node.js processes**.\\n \\n \\n DeviceNetworkEvents\\n | where Timestamp \\u003e ago(7d)\\n | where InitiatingProcessFileName in~ (\\”node.exe\\”, \\”node\\”, \\”bun.exe\\”, \\”bun\\”)\\n | where RemoteIP in (\\”169.254.169.254\\”, \\”169.254.170.2\\”)\\n | project Timestamp, DeviceName, RemoteIP, RemoteUrl,\\n InitiatingProcessFileName, InitiatingProcessCommandLine, AccountName\\n \\n\\n### Indicators of Compromise (IOC)\\n\\n**Affected npm packages – all published by maintainer vpmdhaj on 2026-05-28:**\\n\\n**Indicator**| **Type**| **Description** \\n—|—|— \\n**@vpmdhaj\/elastic-helper (1.0.7269)******| Package| Typosquat – ElasticSearch\/OpenSearch helper \\n**@vpmdhaj\/devops-tools (1.0.7267)**| Package| Typosquat – DevOps tools \/ OpenSearch setup \\n**@vpmdhaj\/opensearch-setup (1.0.7267)******| Package| Typosquat – OpenSearch setup utility \\n**@vpmdhaj\/search-setup (1.0.7268)**| Package| Typosquat – search engine setup \\n**opensearch-security-scanner (1.0.10)******| Package| Unscoped lookalike – security scanner \\n**opensearch-setup (1.0.9103)**| Package| Unscoped lookalike – spoofs opensearch-project repo URL \\n**opensearch-setup-tool (1.0.9108)******| Package| Unscoped lookalike – spoofs opensearch-project repo URL \\n**opensearch-config-utility (1.0.9106)**| Package| Unscoped lookalike – spoofs opensearch-project repo URL \\n**search-engine-setup (1.0.9108)******| Package| Unscoped lookalike – spoofs opensearch-project repo URL \\n**search-cluster-setup (1.0.9104)**| Package| Unscoped lookalike – spoofs opensearch-project repo URL \\n**elastic-opensearch-helper (1.0.9108)******| Package| Unscoped lookalike – spoofs opensearch-project repo URL \\n**vpmdhaj-opensearch-setup (1.0.9102)**| Package| Unscoped – author-named OpenSearch setup \\n**env-config-manager (2.1.9201)******| Package| Typosquat – dotenv-style config manager \\n**app-config-utility (1.0.9300)**| Package| Typosquat – generic app config utility \\n \\n#### **Actor, network, and file IOCs**\\n\\n**Indicator**| **Type**| **Description** \\n—|—|— \\n**vpmdhaj******| npm maintainer alias| Threat actor publishing all 14 packages \\n**a39155771@gmail.com**| Email| Maintainer contact email registered on npm \\n**aab.sportsontheweb[.]net******| Domain| Stage-1 C2 (Gen-1 packages) \\n**hxxp:\/\/aab.sportsontheweb[.]net\/x.php**| URL| Beacon + stage-2 payload endpoint (port 80) \\n**X-Supply: 1******| HTTP header| Campaign-unique marker – high-confidence proxy detection \\n**169.254.169.254**| IP| AWS EC2 IMDSv2 endpoint queried by stage-2 \\n**169.254.170.2******| IP| AWS ECS task metadata endpoint queried by stage-2 \\n**638788AFC4F1B5860A328312CAF5895ABD5F5632D28A4F2A85B09076E270D15D**| SHA-256| preinstall.js (Gen-1 stager) \\n**77D92EFE7AF3547F71FD41D4A884872D66B1BE9499EAA637E91EAC866911694D******| SHA-256| setup.mjs (Gen-2 stager) \\n**BFA149694EC6411C23936311A999163ADE54D6F38E2F4B0E3CFB8CB67BD7CFAA**| SHA-256| payload.gz (gzipped Bun stage-2) \\n**opensearch_init.js******| Filename| Bun-compiled stage-2 credential harvester (~195 KB) \\n**ai_init.js**| Filename| Alternate stage-2 filename used by some Gen-2 packages \\n**payload.bin******| Filename| Dropped stage-2 binary in node_modules install dir \\n**__DAEMONIZED=1**| Env var| Marker set by stager when spawning detached payload \\n \\n## References\\n\\n * https:\/\/www.npmjs.com\/~vpmdhaj – npm maintainer profile (all 14 packages)\\n * https:\/\/www.npmjs.com\/package\/@vpmdhaj\/elastic-helper\\n * https:\/\/www.npmjs.com\/package\/@vpmdhaj\/devops-tools\\n * https:\/\/docs.npmjs.com\/cli\/v10\/using-npm\/scripts – npm lifecycle scripts documentation\\n * https:\/\/bun.sh – Bun runtime (abused by Gen-2 stager as a loader)\\n * https:\/\/docs.aws.amazon.com\/AWSEC2\/latest\/UserGuide\/configuring-IMDS-use-IMDSv2.html – IMDSv2 hardening guidance\\n\\n\\n\\n_This research is provided by Microsoft Defender Security Research with contributions from members of Microsoft Threat Intelligence._\\n\\n## Learn more\\n\\nFor the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog.\\n\\nTo get notified about new publications and to join discussions on social media, follow us on LinkedIn, X (formerly Twitter), and Bluesky.\\n\\nTo hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast.\\n\\nReview our documentation to learn more about our real-time protection capabilities and see how to enable them within your organization. \\n\\n * Microsoft 365 Copilot AI security documentation\\n * How Microsoft discovers and mitigates evolving attacks against AI guardrails\\n * Learn more about securing Copilot Studio agents with Microsoft Defender\\n * Evaluate your AI readiness with our latest Zero Trust for AI workshop.\\n * Learn more about Protect your agents in real-time during runtime (Preview)\\n * Explore how to build and customize agents with Copilot Studio Agent Builder\\n\\n\\n\\nThe post Typosquatted npm packages used to steal cloud and CI\/CD secrets appeared first on Microsoft Security Blog.”,”published”:”2026-05-29T03:04:52″,”modified”:”2026-05-29T03:04:52″,”type”:”mssecure”,”title”:”Typosquatted npm packages used to steal cloud and CI\/CD secrets”,”source”:””,”references”:””,”id”:”MSSECURE:7DF62CBD211C4009099D29D730CB02CF”,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.microsoft.com\/en-us\/security\/blog\/2026\/05\/28\/typosquatted-npm-packages-used-steal-cloud-ci-cd-secrets\/”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-05-29T03:58:40″,”description”:”In this article\\n\\n 1. Attack chain overview\\n 1. The lure: typosquats and spoofed metadata\\n 2. Execution: npm lifecycle hook abuse\\n 3. Gen-1 stager: HTTP C2…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,110,13,33,7,11,5],"class_list":["post-57982","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-mssecure","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n