Lone attacker published 14 malicious npm packages mimicking popular OpenSearch, Elasticsearch libraries

Security Lone attacker published 14 malicious npm packages mimicking popular OpenSearch, Elasticsearch libraries And then Microsoft busted them all Jessica Lyons Jessica Lyons Published fri 29 May 2026 // 22:46 UTC A single npm user on Thursday published 14 malicious packages within a four-hour window, all mimicking popular OpenSearch, Elasticsearch, DevOps, and environment-configuration libraries, according to Microsoft. It’s the latest in a seemingly never-ending string of supply chain attacks targeting developer tools , and  stealing cloud credentials and CI/CD pipeline secrets in its wake. Using a newly created maintainer alias, vpmdhaj (a39155771@gmail[.]com), the threat actor published 14 packages impersonating legitimate libraries from the @opensearch and @elastic ecosystems and targeting Amazon Web Services, HashiCorp Vault, GitHub Actions, and the npm registry itself. This suggests that the attacker “likely chose a developer audience to have AWS and Elastic cloud credentials in their environments,” Microsoft warned in a Thursday blog.  REG AD REG AD All of the malicious packages include the same install-time stager and the same Bun-compiled, second-stage payload: a 195 KB credential harvester purpose-built for cloud and CI/CD environments. Plus, as we’ve seen with all of the other open source supply chain attacks of late, after stealing tokens and other secrets, the attacker can move laterally across cloud environments, steal additional sensitive data, and push even more poisoned updates to packages owned by hijacked maintainer identities, thus expanding the attack beyond the initial 14. MORE CONTEXT Megalodon chums the waters in 5.5K+ GitHub repo poisonings Malware dev tries to steal Claude users' secrets, writes npm slop, leaks own GitHub private token No fix yet for critical RCE bug in open-source Git service Gogs - exploit module is out Disgruntled 0-day hunter 'humiliated' by Microsoft pledges 'bone shattering drop' as Redmond calls cops