All Topics
All Topics
Technology
Technology
Design
Design
Programming
Programming
Science
Science
News
News
Gaming
Gaming
Entertainment
Entertainment
Business
Business
Finance
Finance
Sports
Sports
Health
Health
Food
Food
Travel
Travel
Art
Art
Music
Music
Books
Books
Education
Education
Politics
Politics
Personal
Personal
No algorithm. No AI slop. No ads. Just RSS. Pro-human. Indie writers. Real journalism. Open web. Chronological. Hand toasted.

Microsoft uncovers npm supply chain attack stealing cloud and CI/CD credentials via typosquatted packages

By

Microsoft Defender Security Research Team

2d ago· 9 min readenNews
Bagel score 100 of 100
100/100
Golden Brown
Bagelometer

Sesame, salt, and substance. A flagship bake.

Score100TypenewsSentimentnegative

Summary

Microsoft identified an active supply chain attack (Mini Shai-Hulud campaign) targeting the npm package ecosystem. On May 28, 2026, a threat actor using the alias vpmdhaj published 14 malicious typosquatted packages within four hours. These packages impersonate OpenSearch, ElasticSearch, DevOps, and environment-configuration libraries, with several spoofing the upstream OpenSearch project's repository URL. Once installed, the packages harvest AWS credentials, HashiCorp Vault tokens, and CI/CD pipeline secrets from developer environments.

Key quotes

· 4 pulled
Microsoft has identified an active supply chain attack targeting the npm package ecosystem.
On May 28, 2026, a single threat actor operating under the newly created maintainer alias vpmdhaj (a39155771@gmail[.]com) published 14 malicious packages within a four-hour window.
The packages typosquat well-known OpenSearch, ElasticSearch, DevOps, and environment-configuration libraries, and several spoof the upstream OpenSearch project's repository URL in their package.json to appear legitimate.
Once installed, the packages harvest AWS credentials, HashiCorp Vault tokens, and CI/CD pipeline secrets.
Snippet from the RSS feed
The Mini Shai-Hulud campaign used malicious npm packages to target cloud and CI/CD credentials across developer environments. This report details the attack chain, detection opportunities, and mitigation guidance to help organizations identify and disrupt

You might also wanna read

317 npm Packages Compromised in Mini Shai-Hulud Supply Chain Attack

A major npm supply chain attack occurred on May 19, 2026, when the npm account of maintainer "atool" was compromised. The attacker published

safedep.io·12d ago

Major NPM Supply Chain Attack: @ctrl/tinycolor and 40+ Packages Compromised with Self-Propagating Malware

A sophisticated supply chain attack has compromised the popular @ctrl/tinycolor NPM package (with over 2 million weekly downloads) along wit

stepsecurity.io·8mo ago

Shai-Hulud: Largest npm Supply-Chain Compromise Affecting CrowdStrike and Hundreds of Packages

The Shai-Hulud malware campaign represents the largest and most dangerous npm supply-chain compromise in history, affecting hundreds of pack

koi.security·8mo ago

Shai Hulud 2.0 Supply-Chain Attack Compromises Zapier, ENS, AsyncAPI, PostHog, and Postman

The article details a new supply-chain attack campaign dubbed 'Shai Hulud 2.0' that has compromised multiple developer tools and platforms i

aikido.dev·6mo ago

Major NPM Supply Chain Attack: Over 1,000 Packages Infected via Fake Bun Runtime

A major cybersecurity incident occurred where over 1,000 NPM packages and 27,000+ GitHub repositories were infected within hours via a fake

helixguard.ai·6mo ago

Security Alert: Malicious Nx Packages Published to npm Containing Credential-Stealing Code

Malicious versions of the Nx package and several supporting plugins were published to npm, containing code that scans file systems, collects

github.com·9mo ago