Typosquatted npm packages used to steal cloud and CI/CD secrets

Microsoft observed an active npm supply-chain campaign (published 2026-05-28) by maintainer alias vpmdhaj that published 14 typosquat packages mimicking OpenSearch/Elastic libraries. Packages use npm lifecycle hooks to execute a two-stage loader (Gen‑1 HTTP C2 or Gen‑2 Bun runtime abuse) and drop a ~195 KB Bun-compiled credential harvester that exfiltrates AWS credentials (IMDSv2, ECS task roles, Secrets Manager), HashiCorp Vault tokens, npm publish tokens, and GitHub Actions secrets; IOCs, detection queries, and mitigation guidance (including ignore-scripts, token rotation, and Defender/XDR detections) are provided.