Security

Typosquatted npm Packages Steal Cloud and CI/CD Secrets

3 min read

Summary

Microsoft has uncovered an active npm supply chain attack in which 14 typosquatted packages stole AWS credentials, HashiCorp Vault tokens, GitHub Actions data, and npm publish tokens during installation. The campaign matters because it targets developer and build environments, creating risk of cloud lateral movement, CI/CD compromise, and downstream software supply chain attacks.

Need help with Security?Talk to an Expert

Introduction

Microsoft has identified a serious npm supply chain campaign that targeted developers and build systems through typosquatted packages. Although the malicious packages have been removed, the techniques used in this attack show how quickly cloud credentials and CI/CD secrets can be exposed during a routine npm install.

For IT and security teams, this is a reminder that package managers remain a high-value attack path, especially in environments with access to AWS, Vault, GitHub Actions, and npm publishing tokens.

What’s new

Microsoft Defender Security Research reported that a single threat actor published 14 malicious npm packages within a four-hour period. These packages impersonated OpenSearch, ElasticSearch, DevOps, and environment configuration libraries.

Key findings include:

  • Typosquatted package names designed to look like legitimate OpenSearch and Elastic-related packages
  • Spoofed repository metadata pointing to the real OpenSearch project to build trust
  • Automatic execution during install via npm preinstall, install, or postinstall hooks
  • Two-stage malware delivery, including a newer variant that abuses the legitimate Bun runtime as a stealthier loader
  • Credential theft targeting:
    • AWS credentials from environment variables, IMDSv2, and ECS task metadata
    • AWS Secrets Manager across more than 16 regions
    • HashiCorp Vault tokens
    • GitHub Actions environment context
    • npm publish tokens for follow-on supply chain attacks

Why this matters for administrators

This attack goes beyond a single compromised workstation. If a malicious package runs inside a CI/CD pipeline or cloud-connected development environment, attackers may gain access to:

  • Cloud accounts and temporary AWS sessions
  • Secrets stored in AWS Secrets Manager
  • Build and deployment pipelines
  • npm maintainer tokens that could be used to publish malicious updates downstream

That creates a much larger blast radius than a typical developer malware incident. A compromised build agent or runner could become the starting point for cloud lateral movement or software supply chain compromise.

Administrators should review development and pipeline environments for exposure and strengthen package controls.

  • Audit npm dependencies for recently installed lookalike packages related to OpenSearch or ElasticSearch
  • Review build logs and proxy logs for suspicious install-time activity, including unusual lifecycle hook execution
  • Hunt for indicators such as requests with the X-Supply: 1 header or unexpected Bun downloads during package installation
  • Rotate exposed secrets immediately, including AWS credentials, Vault tokens, GitHub Actions secrets, and npm publish tokens
  • Restrict package installation sources and consider allowlists for approved registries and packages
  • Enable Defender XDR and advanced hunting to detect suspicious package execution and credential access behavior

Bottom line

This campaign highlights how a simple typo in an npm package name can lead to credential theft across cloud and CI/CD environments. Security teams should treat developer endpoints and build systems as critical assets and apply the same monitoring, secret hygiene, and supply chain protections used elsewhere in the enterprise.

Need help with Security?

Our experts can help you implement and optimize your Microsoft solutions.

Talk to an Expert

Stay updated on Microsoft technologies

npmsupply chain securityCI/CDAWS credentialsMicrosoft Defender

Related Posts

Security

Salesforce OAuth Abuse: Microsoft Guidance on ShinyHunters

Microsoft detailed how threat activity associated with ShinyHunters abused trusted OAuth relationships in Salesforce to gain persistent access, exfiltrate CRM data, and evade traditional sign-in detections. The company also announced improved Salesforce telemetry and near-real-time detection in Defender for Cloud Apps, giving security teams better visibility into connected apps, OAuth scopes, and suspicious SaaS activity.

Security

Microsoft Entra ID Passkeys Default Rollout Dates

Microsoft will make passkeys the default authentication experience in Entra ID starting September 1, 2026, automatically prompting users currently using SMS or voice MFA to register a passkey. The change matters because Microsoft-provided SMS and voice authentication will be retired on February 1, 2027, pushing organizations toward phishing-resistant authentication and requiring admins to plan migrations now.

Security

Microsoft Secure Future Initiative July 2026 Update

Microsoft’s July 2026 Secure Future Initiative progress report highlights major security gains across identity, cloud resource isolation, vulnerability remediation, and AI-driven defense. The update matters to IT and security teams because it pairs measurable hardening progress with practical guidance on phishing-resistant MFA, secure defaults, composite attack paths, and post-quantum readiness.

Security

GigaWiper Malware: Microsoft Details Destructive Backdoor

Microsoft Threat Intelligence has published a deep analysis of GigaWiper, a Golang-based backdoor that combines command-and-control features with multiple destructive payloads, including disk wiping, fake ransomware, and system sabotage. The research matters because it shows attackers consolidating several malware families into a single modular implant, increasing flexibility while reducing deployment footprint.

Security

Microsoft SFI AI Hardens Cloud Security at Scale

Microsoft detailed an internal multi-agent AI system built under its Secure Future Initiative (SFI) to proactively evaluate and harden live cloud services. The approach speeds up deep security analysis from weeks to hours by correlating code, identity, network, configuration, and runtime signals to uncover composite risks that single-tool reviews can miss.

Security

Cloud Security Posture Management Trends for 2026

Frost & Sullivan’s 2025 Frost Radar shows cloud security posture management is shifting from periodic compliance checks to continuous, risk-based governance within CNAPP platforms. For IT and security teams, the key takeaway is clear: prioritize tools that unify posture, identity, workload, and data signals to reduce risk faster across multicloud environments.