Lone attacker published 14 malicious npm packages mimicking popular OpenSearch, Elasticsearch libraries

A lone attacker published 14 typosquatting/npm lookalike packages that impersonated OpenSearch/Elasticsearch and DevOps libraries; each package executed an install-time stager (preinstall hooks or a Bun loader) that retrieved a Bun-compiled second-stage credential harvester aimed at stealing AWS, HashiCorp Vault, npm, and GitHub Actions credentials. Microsoft removed the malicious packages, published a list of affected packages, and recommended rotating exposed IAM/STS, Vault, npm publish, and GitHub Actions tokens.