Typosquatted npm packages harvest cloud and CI/CD secrets via lifecycle hooks

Targetnpm package ecosystem; AWS; HashiCorp Vault; GitHub Actions; npm registryVectorTyposquatted npm packages with malicious preinstall lifecycle hooks executed during npm installAttributionunattributed

MITRE ATT&CKT1195.001T1547.013T1555T1552.001T1087IoCsvpmdhaj (maintainer alias)a39155771@gmail.comopensearch-setupopensearch-setup-toolopensearch-config-utilityelastic-opensearch-helpersearch-engine-setupenv-config-manager@vpmdhaj/elastic-helperpreinstall.jssetup.mjspayload.binX-Supply: 1 (HTTP header)Affected14 scoped and unscoped npm packages; versions 1.0.7265 and higher (Gen-1); versions 1.0.7266 and higher (Gen-2)

Affected OrganisationsunattributedSectorsSoftware DevelopmentDevOpsCloud InfrastructureConfirmed DamageTheft of AWS credentials, HashiCorp Vault tokens, GitHub Actions secrets, npm publish tokens, AWS Instance Metadata Service (IMDSv2) credentials, ECS task-role credentials, AWS Secrets Manager enumeration across 16+ regions

Patchesnpm team took down malicious repositories and user accountsWorkaroundsAudit npm package dependencies for typosquatted or spoofed upstream metadata; verify package.json homepage, repository, and bugs fields against official upstream sources; implement npm package pinning and integrity verification; restrict npm install execution in CI/CD pipelines to trusted networks; monitor for preinstall/postinstall lifecycle hooks in package.json files.DetectionMonitor HTTP proxy logs for POST requests with X-Supply header; detect preinstall.js or setup.mjs execution during npm install; hunt for payload.bin spawned as detached process; monitor AWS IMDS queries and Secrets Manager API calls from npm install contexts; detect base64-encoded host context exfiltration in HTTP POST bodies; alert on npm publish token access from unexpected processes.

Previous CampaignsNot statedSimilar AttacksNot stated