Microsoft Exposes Malicious Typosquat Cluster Targeting Cloud Environments

Microsoft analysts flagged an active npm supply-chain campaign where an attacker published 14 typosquatted packages (e.g., opensearch-setup, elastic-opensearch-helper) that auto-execute stagers to deliver a Bun-compiled credential-harvesting binary (~195 KB) targeting AWS metadata (container roles across 16 regions), HashiCorp Vault, and npm publish tokens; Gen-2 stagers employ a fileless Bun runtime loader to evade detection. Registry maintainers removed the malicious packages; recommended mitigations include disabling pre/post-install scripts, rotating exposed cloud and GitHub tokens, blocking domain aab.sportsontheweb.net, and auditing cloud trails for anomalous identity activity.