Skip to main content
Emerging ThreatsMalware & Ransomware

Malicious npm Packages Target Cloud Credentials

Developer workspace with laptop, terminal, and notes, hint of cloud diagram in background.

"likely chose a developer audience to have AWS and Elastic cloud credentials in their environments," Microsoft warned in a Thursday blog.

How the attacker delivered 14 malicious npm packages in four hours

According to Microsoft, a single npm account published 14 malicious packages within a four‑hour window, using a newly created maintainer alias, vpmdhaj (a39155771@gmail[.]com). The libraries impersonated popular projects in the @opensearch and @elastic ecosystems and targeted developer tooling and search-engine libraries. Examples of lookalike package names include opensearch-setup-tool, opensearch-config-utility, and elastic-opensearch-helper.

The actor relied on typosquatting and lookalike naming — packages named one or two letters off from legitimate projects — and also spoofed upstream metadata. “Every unscoped package sets its package.json homepage, repository, and bugs fields to the legitimate github.com/opensearch-project/opensearch-js project,” Microsoft’s threat hunters wrote. The attacker additionally inflated version numbers (for example, jumping to 1.0.7265, 1.0.9108, or 2.1.9201) to imply a mature release history and encourage trust.

Install-time stagers: Gen‑1 and Gen‑2

All 14 packages contained the same install-time stager and the same Bun‑compiled second-stage payload, Microsoft reported. The second-stage binary is a 195 KB credential harvester purpose-built for cloud and CI/CD environments.

Microsoft describes two stager variants. The Gen‑1 stager uses install, preinstall, and postinstall npm hooks that invoke preinstall.js. That script collects host information — including hostname, platform, arch, Node version, USER/USERNAME, cwd, INIT_CWD, npm_package_name, and npm_package_version — base64‑encodes the JSON, and POSTs it to the actor’s command‑and‑control server. The server then serves a second‑stage payload, written to payload.bin in the package install directory.

Microsoft warned that “the package’s index.js re‑launches the same payload.bin on every subsequent require() of the module – a quiet persistence mechanism that survives across CI build stages and developer rebuild loops.”

The Gen‑2 stager replaces the install‑time C2 roundtrip with a loader that checks for a Bun runtime. If Bun is absent, the stager downloads the legitimate Bun runtime v1.3.13 and then executes the Bun‑compiled second‑stage payload, which begins credential collection across target environments.

Targets and consequences: AWS, HashiCorp Vault, GitHub Actions, npm

Microsoft says the malicious code was built to steal cloud credentials and CI/CD pipeline secrets across Amazon Web Services, HashiCorp Vault, GitHub Actions, and the npm registry itself. After harvesting tokens and secrets, the actor can move laterally across cloud environments, steal additional sensitive data, and push poisoned updates to packages owned by hijacked maintainer identities — thereby expanding the scope beyond the initial 14 packages.

All of the malicious libraries have since been removed from the registry, and Microsoft published a list of all 14 packages in its advisory. Microsoft also advised checking systems that installed or built affected package versions on or after May 28.

What this means for developers, security teams, and package maintainers

  • Developers: Inspect recent npm installs and CI build logs for any of the listed package names or unexpected preinstall/postinstall execution on or after May 28; treat any exposed tokens as compromised.
  • Security teams: Rotate specific credentials Microsoft named — AWS IAM/STS, HashiCorp Vault, npm publish, and GitHub Actions tokens — for any environment that built or ran affected package versions; search for signs of lateral movement following token theft.
  • Package maintainers: Review package.json metadata and publish provenance closely; beware inflated version numbers and lookalike names that mimic reputable projects.

Microsoft’s advisory underscores a recurring pattern in open‑source supply‑chain attacks: social engineering to drive installs, metadata spoofing to appear legitimate, and install‑time execution to capture secrets before runtime protections can intercede. The company’s published list and the specific token‑rotation guidance give teams concrete next steps — but the mechanics shown here (preinstall hooks, Bun loaders, and persistent payloads relaunched on require()) are reminders that installs are an active attack surface in modern development workflows.

Read Microsoft’s list and advisory here: https://www.theregister.com/security/2026/05/29/14-malicious-npm-packages-impersonated-opensearch-elasticsearch-libraries/5248792