Latest Threats

vpmdhaj npm Supply Chain Attack — 14 OpenSearch/ElasticSearch Typosquats Steal AWS/Vault/CI-CD Secrets via Bun-Compiled Stager (Mini Shai-Hulud) — Threadlinqs Intelligence

Threat ID: TL-2026-0623 · Severity: HIGH · Status: MONITORING · Category: SUPPLY_CHAIN

Attribution: vpmdhaj · FINANCIAL

A single actor under the new npm alias "vpmdhaj" published 14 typosquatted OpenSearch/ElasticSearch/DevOps packages on 2026-05-28 whose npm install-time lifecycle hooks run a ~195 KB Bun-compiled

On May 28, 2026, a single npm maintainer operating under the newly created alias "vpmdhaj" (registration email a39155771@gmail.com) published 14 malicious packages within an approximately four-hour window. The packages typosquat the OpenSearch, ElasticSearch, DevOps, and environment/config library namespaces (e.g. opensearch-setup, opensearch-setup-tool, opensearch-config-utility, elastic-opensearch-helper, env-config-manager) and combine both unscoped lookalikes and packages under the actor's own @vpmdhaj scope. To appear legitimate the packages spoofed the repository URL github.com/opensearch-project/opensearch-js and carried grossly inflated version numbers (e.g. 1.0.9108, 2.1.9201) to win npm dist-tag resolution and impersonate maturity. Microsoft Threat Intelligence tracked the cluster as a 'Mini Shai-Hulud' variant and reported it to npm, which removed the packages and suspended the maintainer accounts. Execution is install-time and requires no application code to call require(): the packages declare npm lifecycle hooks (preinstall / install / postinstall) that run automatically during `npm install`. Two stager generations were observed. Gen-1 runs node -> preinstall.js / index.js, which beacons over HTTP to the C2 at hxxp://aab.sportsontheweb[.]net/x.php (carrying the custom header 'X-Supply: 1'), downloads payload.bin, and re-launches itself as a detached background process marked with the environment variable __DAEMONIZED=1 to survive the parent npm process exit. Gen-2 runs node -> setup.mjs, which downloads a legitimate Bun runtime (from GitHub releases) and uses it to execute a bundled, Bun-compiled second-stage credential harvester (~195 KB; observed as opensearch_init.js / ai_init.js, with the compressed payload shipped as payload.gz). Using a real, signed Bun binary to interpret the obfuscated stage-2 lets the actor blend with normal developer tooling and evade signature-based JS scanning. The second stage is a cloud and CI/CD credential harvester. Against AWS it queries the EC2 Instance Metadata Service v2 (169.254.169.254) and the ECS task metadata endpoint (169.254.170.2), reads AWS credential environment variables, calls STS GetCallerIdentity and AssumeRole to validate and pivot on stolen roles, and enumerates Secrets Manager (ListSecrets / GetSecretValue) across 16 or more AWS regions. It reads HashiCorp Vault tokens from the VAULT_TOKEN and VAULT_AUTH_TOKEN environment variables, validates npm tokens through the registry /-/whoami endpoint and enumerates publish access via /-/npm/v1/tokens (enabling downstream supply-chain self-propagation by republishing into packages the victim maintains), and collects GitHub Actions context including GITHUB_REPOSITORY and RUNNER_OS. Harvested secrets are exfiltrated over the same HTTP C2 channel. Impact is highest in CI/CD runners and developer/build hosts that hold ambient cloud credentials and long-lived publish tokens. Any environment that installed an affected package should treat all reachable AWS, Vault, npm, and GitHub Actions secrets as compromised and rotate them. Microsoft Defender Antivirus detects the components as Trojan:JS/ShaiWorm, Trojan:JS/ObfusNpmJs, and Backdoor:JS/SupplyChain, and Microsoft published Defender XDR advanced hunting queries for npm lifecycle script execution, the payload.bin artifact, detached __DAEMONIZED=1 processes, Bun runtime downloads, C2 beacons to the attacker domain, and AWS IMDS/ECS metadata access. This cluster is distinct from the contemporaneous TeamPCP 'Mini Shai-Hulud' worm that hit TanStack/Mistral/UiPath; it shares the family label and Bun-stager tradecraft but uses a separate actor alias, package set, and C2 infrastructure.

MITRE ATT&CK Techniques

T1585 Establish Accounts; T1587.001 Develop Capabilities: Malware; T1608.001 Stage Capabilities: Upload Malware; T1195.002 Supply Chain Compromise: Compromise Software Supply Chain; T1059.007 Command and Scripting Interpreter: JavaScript; T1204.001 User Execution: Malicious Package; T1543 Create or Modify System Process; T1036 Masquerading; T1027 Obfuscated Files or Information; T1027.004 Obfuscated Files or Information: Compile After Delivery; T1552.005 Unsecured Credentials: Cloud Instance Metadata API; T1552.001 Unsecured Credentials: Credentials In Files; T1528 Steal Application Access Token; T1580 Cloud Infrastructure Discovery; T1526 Cloud Service Discovery; T1082 System Information Discovery; T1071.001 Application Layer Protocol: Web Protocols; T1105 Ingress Tool Transfer; T1041 Exfiltration Over C2 Channel

Weaknesses (CWE)

CWE-506, CWE-829, CWE-1357, CWE-522

Target sectors: technology, software-development, devops, cloud-services, financial-services

Target regions: Global, North America, Europe

References

Detections & IOCs

This threat has 9 detection rule(s) across Splunk SPL, Microsoft KQL and Sigma, and 42 indicator(s) of compromise. Detection query text and full IOC values are available to authenticated users and programmatically via the Threadlinqs MCP server (Purple tier). View plans.

SUPPLY_CHAIN, HIGH, threat intelligence, cybersecurity, T1585, T1587.001, T1608.001, T1195.002, T1059.007, T1204.001, T1543, T1036, T1027, T1027.004

Threadlinqs Intelligence — Real-Time Threat Detection Platform

Latest Threats

🔄 Threat Comparison