Full Report
And then Microsoft busted them all
Analysis Summary
Based on the provided report regarding the May 2026 npm supply chain attack, here is the structured summary of the malicious campaign and tools used.
# Tool/Technique: Malicious npm Typosquatting (vpmdhaj Campaign)
## Overview
This is a coordinated supply chain attack involving 14 malicious npm packages designed to impersonate popular libraries (OpenSearch, Elasticsearch, AWS, and HashiCorp). The primary purpose is to harvest cloud and CI/CD credentials from developers and automated environments.
## Technical Details
- **Type:** Malware Family / Credential Harvester
- **Platform:** Cross-platform (Node.js/Bun environments, cloud CI/CD pipelines)
- **Capabilities:** Host reconnaissance, credential theft, persistence, and automated execution via package hooks.
- **First Seen:** May 28, 2026
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1195.001 - Supply Chain Compromise: Compromise Software Dependencies and Development Tools]
- **[TA0002 - Execution]**
- [T1059.003 - Command and Scripting Interpreter: Windows Command Shell]
- [T1574.006 - Hijack Execution Flow: Dynamic Linker Hijacking (via npm hooks)]
- **[TA0006 - Credential Access]**
- [T1552 - Unsecured Credentials]
- [T1555 - Credentials from Password Stores]
- **[TA0007 - Discovery]**
- [T1082 - System Information Discovery]
- **[TA0011 - Command and Control]**
- [T1105 - Ingress Tool Transfer]
- [T1071.001 - Application Layer Protocol: Web Protocols]
## Functionality
### Core Capabilities
- **Typosquatting/Lookalike Naming:** Impersonates libraries like `@opensearch` and `elasticsearch` to trick developers.
- **Metadata Spoofing:** Manipulates `package.json` fields (homepage, bugs, repository) to point to legitimate GitHub projects to appear authentic.
- **Install-Time Execution:** Leverages `preinstall` and `postinstall` hooks to execute malicious scripts automatically upon `npm install`.
- **Credential Harvesting:** Specifically targets AWS IAM/STS tokens, HashiCorp Vault secrets, npm publish tokens, and GitHub Actions secrets.
### Advanced Features
- **Bun-Compiled Payloads:** Uses the Bun runtime (downloading it if necessary) to execute a 195 KB second-stage payload (`payload.bin`).
- **Version Inflation:** Sets version numbers to high values (e.g., 2.1.9201) to simulate a mature, trusted release history.
- **Silent Persistence:** The `index.js` file is configured to re-launch the malicious payload every time the module is required, ensuring the malware survives across different CI build stages.
## Indicators of Compromise
- **File Names:** `preinstall.js`, `payload.bin`
- **Maintainer Alias:** `vpmdhaj` (a39155771@gmail[.]com)
- **Network Indicators:** (Defanged) `a39155771@gmail[.]com` (Actor email)
- **Behavioral Indicators:** Unexpected POST requests containing base64-encoded JSON host data; automated downloading of the Bun runtime (v1.3.13) during npm package installation.
## Associated Threat Actors
- Tracked via the maintainer alias **vpmdhaj**.
## Detection Methods
- **Signature-based:** Scan for the presence of `payload.bin` within `node_modules` or the specific file hashes associated with the 14 identified packages.
- **Behavioral:** Monitor for `npm install` processes that initiate external network connections to unknown C2 servers or those that attempt to access sensitive directories (e.g., `.aws/credentials`, Vault tokens).
- **Audit:** Use `npm audit` or software composition analysis (SCA) tools to identify unauthorized or typosquatted packages.
## Mitigation Strategies
- **Immediate Action:** Rotate all AWS, HashiCorp Vault, npm, and GitHub Actions secrets if any of the malicious packages were installed.
- **Hardening:** Use **npm scopes** and **lockfiles** (`package-lock.json`) to ensure only verified packages are installed.
- **Prevention:** Implement registry proxies or private registries to vet packages before they are available to developers.
- **Policy:** Restrict the use of `preinstall` scripts using the `--ignore-scripts` flag during installation where possible.
## Related Tools/Techniques
- **Protestware:** Similar delivery via npm hooks, though with different intent.
- **Dependency Confusion:** A related supply chain technique that exploits internal vs. public package naming.