MICROSOFT Threat Intelligence has revealed a supply chain attack exploiting malicious npm packages using dependency confusion techniques. On May 28-29, 2026, a threat actor published malicious packages mimicking real corporate namespaces, executing an obfuscated reconnaissance payload upon installation. This campaign involved three aliases: mr.4nd3r50n, ce-rwb, and t-in-one, targeting internal corporate services while masquerading legitimate package details.
The attack utilized sophisticated techniques, including automatic execution during the npm install process, environment detection, and a two-phase attack architecture for data collection and potential exploitation. Mitigation strategies include reviewing dependency trees, disabling script execution, credential rotation, and monitoring for suspicious activities related to the affected packages.