A new campaign involving typosquatted npm packages is targeting developers and DevOps environments by stealing sensitive cloud credentials, GitHub tokens, and CI/CD secrets from infected systems.
Security researchers discovered the operation after attackers uploaded 14 malicious packages to the npm registry within just a few hours. The packages impersonated trusted OpenSearch, ElasticSearch, and DevOps-related libraries, increasing the likelihood that developers would accidentally install them.
The campaign highlights the growing danger of software supply chain attacks, especially as attackers increasingly target developer ecosystems instead of traditional endpoints.
Malicious Packages Mimic Trusted Open-Source Libraries
The attackers used a typosquatting technique, where package names closely resemble legitimate libraries. As a result, a simple typing mistake during installation could trigger a compromise.
Several packages spoofed OpenSearch-related tools, including fake setup utilities and configuration managers. Additionally, the threat actor manipulated npm metadata fields to make the packages appear connected to legitimate projects.
Researchers linked all 14 packages to a single npm maintainer operating under the alias “vpmdhaj.”
Once installed, the malicious packages automatically executed hidden scripts through npm lifecycle hooks. Consequently, the malware launched immediately after the npm install command without requiring further user interaction.
Typosquatted npm Packages Use Stealthy Payloads
Investigators observed two separate malware variants during the campaign.
The older variant contacted a remote command-and-control server to fetch additional payloads. However, the newer version adopted a stealthier method by silently downloading the legitimate Bun JavaScript runtime and executing embedded malicious scripts locally.
This approach reduced suspicious outbound traffic and helped the malware evade security monitoring tools.
The second-stage payload aggressively searched for sensitive credentials across development environments, including:
- AWS access keys
- GitHub Actions tokens
- HashiCorp Vault secrets
- npm publish tokens
Researchers noted that the malware scanned multiple AWS regions and queried cloud metadata services to locate additional credentials.
Supply Chain Risks Increase With Stolen npm Tokens
The theft of npm publish tokens significantly raises the severity of the campaign.
If attackers obtain valid publish credentials, they could push malicious updates to trusted packages already used by thousands of organizations. Therefore, a single compromised developer workstation could become the starting point for a much wider supply chain compromise.
Security teams are advised to immediately rotate exposed credentials if any suspicious packages were installed after May 28, 2026.
Indicators and Defensive Measures
Researchers identified several indicators tied to the operation, including suspicious domains, malicious package names, and unusual Node.js activity involving Bun runtime downloads.
Organizations should also monitor for:
- Unexpected lifecycle script execution
- Outbound requests to unknown domains
- Unauthorized npm token usage
- Suspicious access to AWS metadata endpoints
Additionally, developers can reduce exposure by using the following installation option:
npm install --ignore-scriptsThis prevents lifecycle hooks from executing automatically during package installation.
The latest typosquatted npm packages campaign demonstrates how attackers continue exploiting developer trust and open-source ecosystems to gain access to critical cloud infrastructure and CI/CD environments.
No Comment! Be the first one.