Typosquatted npm Packages Expose Multi-Cloud Environments to Credential Theft

Microsoft has identified an active supply chain attack targeting the npm package ecosystem that represents a significant risk to organizations using cloud-native development practices. On May 28, 2026, a single threat actor published 14 malicious packages within a four-hour window, demonstrating advanced techniques for stealing credentials across multi-cloud environments.

What Changed: The vpmdhaj Supply Chain Attack

The attack centers on packages published under the maintainer alias "vpmdhaj" (a39155771@gmail[.]com), which employ sophisticated typosquatting techniques to mimic legitimate OpenSearch, ElasticSearch, DevOps, and environment-configuration libraries. These packages not only use lookalike naming but also spoof upstream metadata by setting their package.json homepage, repository, and bugs fields to point to the legitimate github.com/opensearch-project/opensearch-js project.

{{IMAGE:2}} Figure 1. vpmdhaj npm supply chain attack flow

The campaign's execution model represents a significant evolution in npm supply chain attacks. Rather than simple one-time payloads, these packages implement a two-stage approach:

1. Initial stager: Executes during npm install via preinstall hooks
2. Second-stage payload: A ~195 KB Bun-compiled binary designed specifically for cloud credential harvesting

The attack chain begins automatically when developers install these packages through npm install, requiring no additional code execution from the victim application. The packages collect rich host context—including hostname, platform, architecture, Node version, and environment variables—then establish communication with the attacker's command and control infrastructure.

{{IMAGE:3}} Figure 2. npm.js package page for @vpmdhaj/elastic-helper showing the inflated 1.0.7269 version and the spoofed OpenSearch repository link.

Technical Evolution: From Direct C2 to Stealthy Loaders

Microsoft observed two distinct generations of this attack, with the second generation demonstrating increased sophistication:

• Gen-1 (versions ≤ 1.0.7265): Uses direct HTTP communication to a C2 server (aab.sportsontheweb[.]net) to download the payload
• Gen-2 (versions ≥ 1.0.7266): Eliminates the install-time C2 roundtrip by abusing the legitimate Bun runtime as a loader

Figure 3. The malicious package.json. A single preinstall hook is enough to gain code execution on every npm install.

The Gen-2 loader represents a concerning evolution in attack techniques. Instead of making suspicious network connections during installation, this approach:

1. Checks if Bun is already present on the host
2. Downloads the legitimate Bun runtime v1.3.13 from GitHub Releases
3. Extracts it using standard utilities
4. Executes a pre-bundled second-stage payload

{{IMAGE:5}} Figure 4. Stage-1 C2 beacon. The X-Supply: 1 header is a high-confidence detection signal in proxy logs.

This technique significantly reduces visibility for defenders who primarily monitor unusual outbound traffic during package installation, making detection more challenging.

Multi-Cloud Credential Theft Capabilities

The second-stage payload is purpose-built for extracting credentials across multiple cloud platforms and development environments:

AWS Credential Harvesting

The payload targets AWS credentials through multiple vectors:

• EC2 Instance Metadata Service v2 (169.254.169.254)
• Elastic Container Service task metadata (169.254.170.2)
• Environment credentials
• STS operations (GetCallerIdentity, AssumeRole)
• Secrets Manager enumeration across 16+ regions

HashiCorp Vault Token Theft

The package searches for VAULT_TOKEN and VAULT_AUTH_TOKEN environment variables, enabling access to secrets stored in Vault instances.

CI/CD Pipeline Compromise

The attack specifically targets CI/CD environments by:

• Collecting GitHub Actions context (GITHUB_REPOSITORY, RUNNER_OS)
• Respecting the __DAEMONIZED=1 environment variable to avoid re-entry
• Explicitly setting CI=false to mislead build-aware code paths

npm Registry Token Theft

Perhaps most concerning, the packages validate tokens through npm's /-/whoami endpoint and enumerate publish access through /-/npm/v1/tokens, enabling downstream supply-chain attacks through stolen npm publish tokens.

Business Impact: Multi-Cloud Strategy Vulnerabilities

This attack represents a significant risk to organizations implementing multi-cloud strategies for several reasons:

Supply Chain Trust Erosion

The attack exploits fundamental trust in the npm package ecosystem. Organizations with established processes for dependency management may still be vulnerable if developers accidentally install typosquatted packages, especially when those packages spoof legitimate repository URLs and use inflated version numbers to appear established.

Cloud Credential Compromise

Stolen AWS STS sessions and Secrets Manager material enable lateral movement across cloud environments. The ability to assume roles and access secrets across multiple regions creates significant risk for data exfiltration and infrastructure compromise.

CI/CD Pipeline Integrity

Compromised GitHub Actions tokens enable attackers to manipulate repositories, inject malicious code into builds, and potentially distribute malicious updates to legitimate packages. This represents a direct threat to the integrity of the software supply chain.

Downstream Supply Chain Attacks

The theft of npm publish tokens enables attackers to push malicious updates to packages owned by legitimate maintainers, expanding the campaign beyond the initial 14 packages and creating a cascading effect that could compromise thousands of downstream projects.

Provider Comparison: Cloud Security Posture

Different cloud providers offer varying levels of protection against these types of attacks:

AWS Security Capabilities

AWS provides several detection mechanisms for this attack:

• CloudTrail logging for sts:GetCallerIdentity followed by sts:AssumeRole
• CloudTrail monitoring for secretsmanager:ListSecrets or GetSecretValue across regions
• GuardDuty detection for unusual metadata service access

However, AWS does not provide native npm package scanning or dependency validation, leaving detection primarily to customer-implemented solutions.

Microsoft Azure Security Advantages

Microsoft Defender for Cloud offers specific detections for this attack:

• Possible IMDS abuse from container workloads
• Anomalous Secrets Manager enumeration across regions
• Integration with Microsoft Defender XDR for cross-environment threat detection

Microsoft's advantage lies in the integration between endpoint protection, cloud monitoring, and threat intelligence, providing a more comprehensive security posture.

Google Cloud Platform Considerations

GCP offers security tools like Security Command Center and Chronicle, but lacks specific detections for npm-based supply chain attacks. Organizations using GCP would need to implement custom monitoring for unusual metadata service access and credential harvesting patterns.

Migration Considerations: Moving Beyond npm Trust

Organizations should consider several strategies to mitigate risks from npm supply chain attacks:

Package Registry Alternatives

Consider using private package registries or alternative ecosystems like GitHub Packages or Artifactory that offer enhanced security features such as:

• Package provenance verification
• Required code reviews for new packages
• Enhanced vulnerability scanning

Dependency Scanning Implementation

Implement comprehensive dependency scanning tools that can detect:

• Typosquatted packages
• Unusual version patterns
• Suspicious package metadata
• Known malicious packages

Tools like Snyk, Dependabot, or Microsoft's own vulnerability management solutions can provide these capabilities.

CI/CD Pipeline Hardening

Secure CI/CD pipelines by:

• Implementing strict dependency pinning
• Disabling pre- and post-installation scripts
• Using read-only filesystems for build environments
• Implementing credential isolation

Strategic Recommendations

For organizations implementing multi-cloud strategies, this attack highlights several critical considerations:

1. Implement defense-in-depth: No single security control can prevent all supply chain attacks. Combine package scanning, runtime protection, and monitoring.

2. Adopt zero-trust principles for dependencies: Treat all third-party packages as potentially untrusted, regardless of their apparent legitimacy.

3. Enhance CI/CD security: Implement strict controls over build environments, including network segmentation and credential isolation.

4. Monitor for lateral movement: Detect unusual patterns of credential access, especially across multiple cloud regions and services.

5. Implement supply chain transparency: Use package signing and provenance verification to establish trust in package origins.

Mitigation and Protection Guidance

Microsoft recommends the following specific mitigations:

• Identify systems that installed affected package versions on or after May 28, 2026
• Pin known-good package versions and avoid automatic dependency upgrades
• Disable pre- and post-installation script execution using npm install --ignore-scripts
• Rotate AWS IAM/STS, HashiCorp Vault, npm publish, and GitHub Actions tokens
• Block egress to aab.sportsontheweb[.]net at proxy, firewall, and DNS layers
• Alert on HTTP requests with the X-Supply: 1 header
• Hunt CloudTrail for anomalous STS operations across regions
• Audit CI/CD logs for unexpected network connections and Bun runtime downloads

Featured image: Microsoft Defender's automated detection and quarantine of malicious npm packages

How Microsoft Defender Helps

Microsoft Defender Antivirus automatically detects and blocks the malicious components on access. During analysis, setup.mjs was quarantined the moment the tarball was extracted to disk. Microsoft Defender XDR provides coordinated detection across endpoints, identities, cloud apps, and developer environments.

The Microsoft Defender Vulnerability Management service allows organizations to search for affected packages across their entire estate, providing visibility into potential exposures.

For organizations implementing multi-cloud strategies, this attack underscores the importance of comprehensive security monitoring across all environments and the need to move beyond simple trust in package ecosystems to implement robust defense-in-depth strategies.