Coordinated npm Supply Chain Attack Exposed: A Threat to Developers
A recent investigation has unveiled a meticulously coordinated npm supply chain attack that targets developers engaged with OpenSearch, ElasticSearch, and various DevOps tools. This attack not only compromises the integrity of software packages but also leads to the theft of sensitive cloud credentials and continuous integration/continuous deployment (CI/CD) secrets from affected systems.
The intrusion is orchestrated through malicious packages that cleverly mimic legitimate libraries, employing similar names such as opensearch-setup and elastic-opensearch-helper. These packages mislead developers by linking back to what appears to be the official OpenSearch GitHub repository in their metadata, thereby enhancing their deceptive credibility.
To increase the allure of these malicious tools, the attackers assigned unusually high version numbers, presenting the false impression of well-established and widely utilized software. Leveraging npm lifecycle hooks, specifically through the preinstall script, these malicious packages execute harmful code automatically once installed, bypassing any need for interaction from developers. This silent mechanism allows the attackers to initiate their code immediately during the installation of dependencies, rendering the attack both stealthy and highly effective.
The sophistication of the attack method is further illustrated through its two-stage payload system. In the earlier iterations, a JavaScript-based stager was employed to gather system information, including hostname, operating system, Node.js version, and environment variables. This sensitive information was then sent to a remote command-and-control (C2) server that communicated via a unique HTTP header, labeled “X-Supply: 1.” This particular header serves as an indicator, helping in the detection of the malicious activity through network logs.
On May 28, 2026, it was reported by Microsoft researchers that an individual threat actor known by the alias “vpmdhaj” managed to publish 14 malicious packages within just four hours. Relying on techniques such as typosquatting and metadata spoofing, the attacker deceived developers into the unwitting installation of these harmful packages. Notably, in subsequent versions, the malicious script advanced its stealth capabilities by eliminating direct C2 communication, opting instead to download the legitimate Bun runtime from GitHub. This strategic pivot facilitated the execution of a pre-packaged second-stage payload that was embedded within the npm package, further minimizing suspicious outbound traffic and helping the malware evade traditional detection mechanisms.
The second-stage payload was crafted as a compact Bun-compiled binary specifically aimed at harvesting credentials. This payload targets an array of platforms, including Amazon Web Services, HashiCorp Vault, GitHub Actions, and even the npm registry itself. The malware has adept capabilities to extract AWS credentials directly from environment variables, probe the EC2 Instance Metadata Service, and ECS task metadata endpoints, as well as enumerate secrets stored in AWS Secrets Manager across multiple geographical regions.
As the attack evolved, the actor replaced noisy HTTP communication methods with a more discreet loader, successfully eliminating the need for an installation-time C2 round-trip. The malicious code now also collects Vault tokens while validating npm publish tokens, enabling attackers to hijack package maintainers and potentially propagate further supply chain attacks.
One of the notable persistence mechanisms employed by the attackers ensures that the payload continues executing beyond the initial installation phase. By relaunching the payload whenever the malicious module is imported in application code, it positions itself to remain persistent across various development cycles and CI/CD pipeline executions.
The ramifications of this campaign are extensive. Stolen AWS credentials could enable lateral movements across cloud environments, while compromised CI/CD tokens pose risks of manipulating build pipelines or introducing malicious code into production systems. Additionally, the theft of npm publish tokens presents significant dangers, potentially allowing the adversaries to push harmful updates to legitimate packages.
Following responsible disclosure practices, the identified malicious packages and their associated accounts have been removed from the npm registry. However, organizations that may have unwittingly installed these compromised packages remain at risk.
Security teams are strongly advised to conduct thorough audits of their systems for any affected dependencies installed after May 28, 2026. This includes a critical need to rotate any exposed credentials, encompassing AWS IAM roles, Vault tokens, npm publish tokens, and GitHub Actions secrets. Developers are encouraged to temporarily disable npm install scripts by utilizing the ignore-scripts setting while meticulously reviewing dependency lock files and build logs for any signs of irregularities.
To bolster defensive measures, network security teams should actively monitor for any suspicious outbound traffic, especially requests containing the “X-Supply: 1” header. Blocking known malicious domains linked to this campaign is also recommended. Additionally, a review of CloudTrail logs for unusual API activity may shed light on compromised environments, particularly instances of rapid role assumptions or cross-region secret access.
This incident underlines the escalating sophistication of software supply chain attacks, whereby trusted systems like npm are increasingly leveraged to gain unauthorized access to sensitive cloud and development infrastructure, underscoring the urgent need for heightened vigilance and protective measures across the software development ecosystem.