A single npm user published 14 malicious packages over a four-hour window, impersonating popular OpenSearch, Elasticsearch, DevOps, and environment-configuration libraries. The packages used a newly created maintainer alias, vpmdhaj (a39155771@gmail[.]com), and targeted the @opensearch and @elastic ecosystems. The malicious packages aimed at Amazon Web Services, HashiCorp Vault, GitHub Actions, and the npm registry. Each package contained the same install-time stager and a Bun-compiled second-stage credential harvester of 195 KB for cloud and CI/CD environments. After token theft, the attacker could move laterally across cloud environments, steal more data, and publish further poisoned updates under hijacked maintainer identities. All malicious libraries were removed, and Microsoft provided a list of the 14 packages and recommended rotating AWS IAM/STS, Vault, npm publish, and GitHub Actions tokens exposed on or after May 28.
#npm-supply-chain-attacks #cloud-credential-theft #cicd-pipeline-compromise #opensearchelasticsearch-ecosystem #typosquatting
Read at theregister
Unable to calculate read time
Collection
[
|
...
]