Sophisticated npm Supply Chain Attack Targets OpenSearch, ElasticSearch, and DevOps Tools
A recently uncovered npm supply chain attack has targeted developers working with OpenSearch, ElasticSearch, and DevOps tooling, stealing cloud credentials and CI/CD secrets from compromised systems. The campaign, attributed to a threat actor using the alias vpmdhaj, involved 14 malicious packages published on May 28, 2026, within a four-hour window.
The attackers employed typosquatting and metadata spoofing, mimicking legitimate libraries with names like opensearch-setup and elastic-opensearch-helper while falsely linking to the official OpenSearch GitHub repository. To appear credible, the packages were assigned inflated version numbers, suggesting maturity and widespread use.
Upon installation, the malicious packages executed code via npm preinstall scripts, triggering automatically without user interaction. The attack employed a two-stage payload system:
- Early versions used a JavaScript stager to collect system details (hostname, OS, Node.js version, environment variables) and send them to a command-and-control (C2) server. The server responded with a compressed binary payload, identifiable by the “X-Supply: 1” HTTP header in network logs.
- Later variants improved stealth by eliminating direct C2 communication, instead downloading the Bun runtime from GitHub to execute an embedded second-stage payload. This reduced suspicious outbound traffic and evaded traditional detection.
The second-stage payload, a Bun-compiled binary, targeted credentials across multiple platforms, including:
- Amazon Web Services (AWS) – Extracting environment variables, querying EC2 Instance Metadata Service and ECS task metadata, and enumerating secrets in AWS Secrets Manager.
- HashiCorp Vault – Harvesting tokens.
- GitHub Actions & npm – Validating publish tokens to hijack package maintainers and propagate further supply chain attacks.
A persistence mechanism ensured the payload re-executed whenever the malicious module was imported, allowing it to survive across development cycles and CI/CD pipeline runs.
The impact of the campaign is severe:
- Stolen AWS credentials could enable lateral movement in cloud environments.
- Compromised CI/CD tokens may allow attackers to manipulate build pipelines or inject malicious code into production.
- Hijacked npm publish tokens pose a risk of malicious updates to legitimate packages, expanding the attack’s reach.
Following responsible disclosure, the malicious packages and associated accounts were removed from the npm registry. However, organizations that installed these dependencies remain at risk. Security teams are urged to audit systems for affected packages, rotate exposed credentials, and monitor for indicators of compromise, including the “X-Supply: 1” header and unusual CloudTrail activity.
The incident underscores the growing sophistication of supply chain attacks, where trusted ecosystems like npm are exploited to gain access to sensitive cloud and development infrastructure.
Source: https://gbhackers.com/typosquatted-npm-packages/
OpenSearch TPRM report: https://www.rankiteo.com/company/opensearch-project
npm TPRM report: https://www.rankiteo.com/company/npm-inc-
ElasticSearch TPRM report: https://www.rankiteo.com/company/elastic-co
Amazon Web Services TPRM report: https://www.rankiteo.com/company/amazon-web-services
GitHub TPRM report: https://www.rankiteo.com/company/github
"id": "elagitamaopenpm1780050263",
"linkid": "elastic-co, github, amazon-web-services, opensearch-project, npm-inc-",
"type": "Cyber Attack",
"date": "5/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': ['Technology', 'DevOps', 'Cloud Services'],
'type': 'Developers and Organizations'}],
'attack_vector': ['Typosquatting',
'Metadata Spoofing',
'Malicious npm Packages'],
'data_breach': {'data_exfiltration': True,
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Cloud credentials',
'CI/CD secrets',
'AWS secrets',
'HashiCorp Vault tokens',
'GitHub Actions tokens',
'npm publish tokens']},
'description': 'A recently uncovered npm supply chain attack has targeted '
'developers working with OpenSearch, ElasticSearch, and DevOps '
'tooling, stealing cloud credentials and CI/CD secrets from '
'compromised systems. The campaign, attributed to a threat '
'actor using the alias *vpmdhaj*, involved 14 malicious '
'packages published on May 28, 2026, within a four-hour '
'window. The attackers employed typosquatting and metadata '
'spoofing, mimicking legitimate libraries while falsely '
'linking to the official OpenSearch GitHub repository. The '
'malicious packages executed code via npm preinstall scripts, '
'triggering automatically without user interaction, and '
'employed a two-stage payload system to exfiltrate credentials '
'and maintain persistence.',
'impact': {'data_compromised': ['Cloud credentials',
'CI/CD secrets',
'AWS secrets',
'HashiCorp Vault tokens',
'GitHub Actions tokens',
'npm publish tokens'],
'operational_impact': 'Potential lateral movement in cloud '
'environments, manipulation of build '
'pipelines, injection of malicious code into '
'production',
'systems_affected': ['Development environments',
'CI/CD pipelines',
'Cloud infrastructure (AWS)']},
'initial_access_broker': {'backdoors_established': 'Persistence mechanism via '
'module import',
'entry_point': 'Malicious npm packages',
'high_value_targets': ['AWS credentials',
'CI/CD tokens',
'npm publish tokens']},
'lessons_learned': 'The incident underscores the growing sophistication of '
'supply chain attacks, where trusted ecosystems like npm '
'are exploited to gain access to sensitive cloud and '
'development infrastructure.',
'motivation': ['Credential Theft', 'Supply Chain Compromise'],
'post_incident_analysis': {'corrective_actions': ['Remove malicious packages',
'Rotate exposed credentials',
'Enhance monitoring for '
'suspicious npm activity'],
'root_causes': ['Typosquatting',
'Metadata spoofing',
'Automatic execution of npm '
'preinstall scripts',
'Lack of package verification']},
'recommendations': ['Audit systems for affected packages',
'Rotate exposed credentials',
"Monitor for indicators of compromise (e.g., 'X-Supply: "
"1' header, unusual CloudTrail activity)"],
'references': [{'source': 'Incident Report'}],
'response': {'containment_measures': 'Malicious packages and associated '
'accounts removed from npm registry',
'enhanced_monitoring': ['Monitor for indicators of compromise '
"(e.g., 'X-Supply: 1' header, unusual "
'CloudTrail activity)'],
'remediation_measures': ['Audit systems for affected packages',
'Rotate exposed credentials']},
'threat_actor': 'vpmdhaj',
'title': 'Sophisticated npm Supply Chain Attack Targets OpenSearch, '
'ElasticSearch, and DevOps Tools',
'type': 'Supply Chain Attack',
'vulnerability_exploited': 'Automatic execution of npm preinstall scripts'}