Typosquatted npm packages used to steal cloud and CI/CD secrets

The Mini Shai-Hulud campaign used malicious npm packages to target cloud and CI/CD credentials across developer environments. This report details the attack chain, detection opportunities, and mitigation guidance to help organizations identify and disrupt related activity. The post Typosquatted npm packages used to steal cloud and CI/CD secrets appeared first on Microsoft Security Blog .

In this article Attack chain overview The lure: typosquats and spoofed metadata Execution: npm lifecycle hook abuse Gen-1 stager: HTTP C2 beacon and payload drop Gen-2 stager: abusing the legitimate Bun runtime as a loader Credential theft Impact and blast radius Mitigation and protection guidance How Microsoft Defender helps Microsoft Defender XDR Detections Advanced hunting Indicators of Compromise (IOC) References Learn more Microsoft has identified an active supply chain attack targeting the npm package ecosystem. On May 28, 2026, a single threat actor operating under the newly created maintainer alias vpmdhaj (a39155771@gmail[.

]com) published 14 malicious packages within a four-hour window. The packages typosquat well-known OpenSearch, ElasticSearch, DevOps, and environment-configuration libraries, and several spoof the upstream OpenSearch project’s repository URL in their package. json to appear legitimate. Once installed, the packages harvest AWS credentials, HashiCorp Vault tokens, and CI/CD pipeline secrets from the host environment. All packages in the cluster ship the same install-time stager and the same Bun-compiled second-stage payload – a ~195 KB credential harvester purpose-built for cloud and CI/CD environments.

The payload runs silently during npm install and targets credentials across Amazon Web Services, HashiCorp Vault, GitHub Actions, and the npm registry itself, enabling both cloud lateral movement and downstream supply-chain pivoting through stolen npm publish tokens. Based on our investigation and feedback to the npm team these repos and users were taken down.

Key capabilities observed in the campaign include automatic execution via npm lifecycle hooks, two distinct stager generations (an HTTP-C2 variant and a stealthier variant that abuses the legitimate Bun runtime distribution), AWS Instance Metadata Service (IMDSv2) and ECS task-role theft, AWS Secrets Manager enumeration across 16+ regions, HashiCorp Vault token harvesting, and theft of npm publish tokens for follow-on supply-chain attacks. Attack chain overview The vpmdhaj cluster spans 14 scoped and unscoped packages that all mimic the @opensearch / @elastic ecosystem.

The attack proceeds through: Publication of 14 typosquat packages under a single actor identity Automatic payload execution through a preinstall hook during npm install Execution chain (Gen-1): node -> preinstall. js -> HTTP C2 -> payload. bin (detached) Execution chain (Gen-2): node -> setup. mjs -> download legitimate Bun runtime -> run bundled stage-2 Cloud credential theft (AWS IMDS, ECS metadata, Vault, Secrets Manager) and npm publish-token theft for downstream supply-chain pivot Figure 1. vpmdhaj npm supply chain attack flow.

The lure: typosquats and spoofed metadata The actor adopted three social-engineering techniques designed to drive installs by mistake or trust transference.