MICROSOFT identified a supply chain attack targeting the npm package ecosystem on May 28, 2026, involving a threat actor using the alias vpmdhaj. The actor published 14 malicious packages that typosquatted well-known libraries and, once installed, harvested AWS credentials, HashiCorp Vault tokens, and CI/CD pipeline secrets.
The packages utilized automatic payload execution through npm hooks, employing two variants of malicious payloads to steal sensitive credentials and enable lateral movement across cloud environments. Key tactics included lookalike naming, spoofed metadata, and inflated version numbers to trick users into installing the packages. Microsoft recommends several mitigation strategies, including disabling script execution during installations and rotating potentially compromised credentials.