al-ice.ai

Microsoft — Typosquatted npm Packages Steal Cloud & CI/CD Secrets

Security by al-ice.ai Editorial

AI relevance: AI development teams heavily depend on npm packages for LLM tooling, vector DB clients, and agent frameworks — making them prime targets for supply-chain attacks that steal cloud credentials and CI/CD pipeline secrets.

Summary

On May 28, 2026, Microsoft disclosed an active supply-chain attack where a single threat actor published 14 typosquatted npm packages mimicking OpenSearch, ElasticSearch, and DevOps libraries. The packages auto-execute during npm install and harvest AWS credentials, HashiCorp Vault tokens, GitHub Actions secrets, and npm publish tokens from victim environments.

Key findings

  • Actor identity: New npm maintainer alias vpmdhaj (registered with Gmail address a39155771@gmail[.]com) published all 14 packages within a four-hour window.
  • Three social-engineering layers: Lookalike naming (e.g., opensearch-setup, elastic-opensearch-helper), spoofed upstream metadata pointing to legitimate OpenSearch GitHub repos, and inflated version numbers (1.0.7265+) to simulate mature release history.
  • Install-time execution: Every package declares a preinstall lifecycle hook — code runs the moment a victim runs npm install, with no require() needed.
  • Two stager generations:
    • Gen-1: POSTs host context (hostname, arch, Node version, cwd) to actor C2 with X-Supply: 1 header, receives a gunzipped second-stage binary.
    • Gen-2: Downloads the legitimate Bun runtime from GitHub Releases, runs a pre-bundled payload — eliminating C2 network traffic during install.
  • Credential harvester (~195 KB Bun binary): Targets AWS IMDSv2, ECS task-role metadata, Secrets Manager across 16+ regions (with bundled SigV4 signer), Vault tokens, GitHub Actions context, and npm publish tokens for downstream supply-chain pivoting.
  • Persistence: The malicious module's index.js re-spawns the payload on every require() — surviving across CI build stages and developer rebuild loops.
  • AI ecosystem overlap: Several packages spoof AI-adjacent library names (ai_init.js in the Gen-2 payload, environment configuration libraries common in ML ops tooling).

Why it matters

AI development pipelines typically install dozens of npm packages per project — from LangChain integrations to vector database SDKs and MCP tooling. This campaign specifically targets that trust model by mimicking infrastructure libraries that appear in AI developer workflows. Stolen npm publish tokens enable follow-on supply-chain attacks, while AWS Secrets Manager access gives attackers direct routes into model-training data stores and inference endpoints.

The Gen-2 stager's elimination of install-time C2 traffic demonstrates a rapidly maturing threat: attackers now know what security teams monitor and design around it. Any organization running automated npm install in CI/CD pipelines — including AI model deployment, agent testing, and evaluation infrastructure — should treat this as an active risk.

What to do

  • Audit npm dependencies — check for packages from maintainer vpmdhaj or any packages with suspiciously high version numbers on recently created accounts.
  • Rotate credentials — if any affected package was installed between May 28–29, 2026, rotate AWS keys, Vault tokens, GitHub Actions secrets, and npm publish tokens.
  • Enable npm 2FA approval gate — GitHub's new 2FA gate for npm publishing blocks the stolen CI/CD token vector used in this and prior 2026 campaigns.
  • Monitor proxy logs — look for X-Supply: 1 headers in outbound traffic, and for unexpected github.com/oven-sh/bun downloads during package installation.
  • Restrict npm lifecycle hooks — consider blocking preinstall/postinstall hooks in CI environments using --ignore-scripts or npm's allow-scripts configuration.