Microsoft Uncovers Active npm Supply Chain Attack Using Typosquatted OpenSearch Packages to Steal Cloud Secrets

Microsoft has identified an active supply chain attack targeting the npm package ecosystem, where a single threat actor published 14 typosquatted packages within a four-hour window on May 28, 2026. The packages mimic well-known OpenSearch, ElasticSearch, DevOps, and environment-configuration libraries, and several spoof the upstream OpenSearch project's repository URL in their package.json to appear legitimate. Once installed, the packages automatically execute a credential harvester that steals AWS credentials, HashiCorp Vault tokens, CI/CD pipeline secrets, and npm publish tokens, enabling both cloud lateral movement and downstream supply-chain pivoting.

The attack, attributed to a maintainer alias vpmdhaj (a39155771@gmail.com), employs three social-engineering techniques to drive installs by mistake or trust transference. First, lookalike naming includes packages such as opensearch-setup, opensearch-setup-tool, opensearch-config-utility, elastic-opensearch-helper, search-engine-setup, and env-config-manager. Second, every unscoped package sets its package.json homepage, repository, and bugs fields to the legitimate github.com/opensearch-project/opensearch-js project. Third, inflated version numbers jump straight to 1.0.7265, 1.0.9108, or 2.1.9201 to suggest a long, mature release history.

Every package in the cluster declares an automatic install-time hook in package.json, meaning the malicious code executes the moment a victim runs npm install — no require() from victim code is needed. Two stager variants were observed. The Gen-1 stager (versions <= 1.0.7265) collects rich host context — hostname, platform, arch, Node version, USER/USERNAME, cwd, INIT_CWD, npm_package_name, npm_package_version — base64-encodes the JSON, and POSTs it to the actor's C2 with a campaign-unique header X-Supply: 1. The same C2 endpoint then serves a gunzip-compressed second-stage binary, which is written to payload.bin, made executable, and spawned detached.

The Gen-2 stager (versions = 1.0.7266) replaces the noisy HTTP-C2 design with a stealthier loader that eliminates the install-time C2 round-trip entirely. setup.mjs checks whether bun is already present on the host; if not, downloads the legitimate Bun runtime v1.3.13 from github.com/oven-sh/bun/releases for the correct platform/arch; extracts the ZIP; and executes the pre-bundled second-stage payload. This approach reduces network indicators and makes detection harder.

The second-stage payload is a ~195 KB Bun-compiled credential harvester purpose-built for cloud and CI/CD environments. Key capabilities include AWS Instance Metadata Service (IMDSv2) and ECS task-role theft, AWS Secrets Manager enumeration across 16+ regions, HashiCorp Vault token harvesting, and theft of npm publish tokens for follow-on supply-chain attacks. The package's index.js re-launches the same payload.bin on every subsequent require() of the module — a quiet persistence mechanism that survives across CI build stages and developer rebuild loops.

Based on Microsoft's investigation and feedback to the npm team, the malicious packages and user accounts were taken down. However, the incident highlights the growing sophistication of supply chain attacks that abuse legitimate package manager features like lifecycle hooks and runtime bundlers. Organizations are advised to audit their npm dependencies for any of the identified packages, monitor for the X-Supply: 1 header in proxy logs, and implement strict dependency pinning and integrity verification.

This campaign follows a broader trend of supply chain attacks targeting the npm ecosystem, including the recent Mini Shai-Hulud worm that infected hundreds of packages and the TrapDoor campaign that compromised 34 packages across multiple registries. The use of Bun as a stealthy loader represents an evolution in attacker tradecraft, leveraging legitimate tools to evade traditional detection mechanisms.