Feed
HighPublished 28 May 202614 packages · 41 versions

vpmdhaj OpenSearch / ElasticSearch / DevOps typosquat burst (14 npm packages, Bun stager → cloud + CI/CD secret theft)

Summary

Microsoft Threat Intelligence flagged 14 typosquat npm packages published on 2026-05-28 by a single new maintainer alias vpmdhaj (a39155771@gmail.com) in a ~4-hour window. Install-time stager pulls a ~195KB Bun-compiled credential harvester from aab.sportsontheweb[.]net/x.php (X-Supply: 1 header) and exfiltrates AWS, HashiCorp Vault, GitHub Actions and npm publish tokens.

typosquatcredential-theftci-cd-compromiseinfostealerobfuscation
Detected by
Microsoft Threat Intelligence
Also known as
vpmdhaj burst · sportsontheweb.net campaign
Ecosystems
npm
Packages tracked
14

What happened

Microsoft Threat Intelligence published an analysis on 2026-05-28 of a focused npm typosquat burst by a single newly-created maintainer account vpmdhaj (a39155771@gmail.com). Within ~4 hours on 2026-05-28 the actor pushed 14 packages — 4 scoped under @vpmdhaj/*, 10 unscoped — that impersonate well-known OpenSearch, ElasticSearch, DevOps, and environment-configuration libraries, with several spoofing the upstream opensearch-project GitHub URL in their package.json to look legitimate to a reviewer skimming metadata.

The scoped tranche (@vpmdhaj/elastic-helper, @vpmdhaj/devops-tools, @vpmdhaj/opensearch-setup, @vpmdhaj/search-setup) landed first at versions in the 1.0.72671.0.7269 range as test releases. The unscoped tranche followed in a ~30-minute burst at 2026-05-28T20:172026-05-28T21:03 UTC, all stamped with high build numbers (1.0.91001.0.9300, plus 2.1.9201 for env-config-manager) so they would outrank legitimate releases in semver resolution. npm unpublished every malicious version listed on 2026-05-29 within hours of detection; the publisher account was suspended.

The payload chain is a two-stage Bun loader. The postinstall hook downloads a small JS stager (SHA-256 638788AFC4F1B5860A328312CAF5895ABD5F5632D28A4F2A85B09076E270D15D) over HTTP from aab.sportsontheweb[.]net/x.php on port 80, carrying the marker header X-Supply: 1. The stager pulls a ~195KB Bun-compiled stage-2 (SHA-256 77D92EFE7AF3547F71FD41D4A884872D66B1BE9499EAA637E91EAC866911694D), spawns it as a detached process with __DAEMONIZED=1 so it outlives the npm install, and walks the host for AWS credentials (IMDS, ECS task role, Secrets Manager), HashiCorp Vault tokens, GitHub Actions OIDC and GitHub PATs, and npm publish tokens. The harvester is purpose-built for cloud and CI/CD environments — there is no crypto-wallet logic — which together with the npm-token theft suggests the operator is staging tokens for a downstream worm wave.

  • The Bun runtime + cloud/Vault/CI focus mirror the Mini Shai-Hulud TeamPCP family (TanStack 2026-05-11, durabletask 2026-05-19, AntV 2026-05-19), but Microsoft does NOT attribute vpmdhaj to TeamPCP — different infrastructure, different stager hash, different aliases, and no worm propagation observed yet in the 24h after publish. Treat the toolchain similarity as a tradecraft signal, not a hard link.
  • No GHSA advisories are published yet (as of 2026-05-31 ingest); confirmation comes from Microsoft Defender detections (Trojan:JS/ObfusNpmJs family) and direct npm registry verification of the unpublish entries for the 10 unscoped names.
  • Scoped @vpmdhaj/* versions are sourced from the Microsoft blog; the npm registry returns empty manifests for those names today, consistent with a hard delete rather than an unpublish.
  • This burst landed the same day as the mr.4nd3r50n / t-in-one oob.moika.tech dependency-confusion campaign tracked separately in npm-2026-05-28-moika-dependency-confusion.ts; the two are unrelated (different infrastructure, different aliases, different payloads) but together demonstrate sustained Russian-language actor activity against npm on 2026-05-28.

Affected packages (14)

  • npm@vpmdhaj/devops-tools
    1.0.7267
  • npm@vpmdhaj/elastic-helper
    1.0.7269
  • npm@vpmdhaj/opensearch-setup
    1.0.7267
  • npm@vpmdhaj/search-setup
    1.0.7268
  • npmapp-config-utility
    1.0.92001.0.9300
  • npmelastic-opensearch-helper
    1.0.72651.0.91031.0.91041.0.91051.0.91061.0.91071.0.9108
  • npmenv-config-manager
    2.1.9201
  • npmopensearch-config-utility
    1.0.72651.0.91041.0.91051.0.9106
  • npmopensearch-security-scanner
    1.0.81.0.91.0.10
  • npmopensearch-setup
    1.0.90001.0.91001.0.91011.0.91021.0.9103
  • npmopensearch-setup-tool
    1.0.72651.0.91061.0.91071.0.9108
  • npmsearch-cluster-setup
    1.0.72651.0.91021.0.91031.0.9104
  • npmsearch-engine-setup
    1.0.72651.0.91051.0.91061.0.91071.0.9108
  • npmvpmdhaj-opensearch-setup
    1.0.91011.0.9102

Impact

  • AWS credential theft: IMDS, ECS task role, Secrets Manager
  • HashiCorp Vault tokens lifted from ~/.vault-token and VAULT_TOKEN env
  • GitHub Actions OIDC and GITHUB_TOKEN extracted from runner env
  • npm publish tokens stolen — primary worm propagation vector for follow-on bursts
  • Bun-compiled ~195KB stage-2 payload runs as detached process with __DAEMONIZED=1 to survive npm install exit

What to do

  1. 1Audit package.json, lockfiles and CI caches for the 14 names below; npm has unpublished every malicious version listed but cached copies in CI may persist
  2. 2Block egress to aab.sportsontheweb[.]net and hunt for outbound HTTP requests carrying X-Supply: 1
  3. 3Rotate any AWS access keys, ECS task role credentials, Vault tokens, GitHub PATs, OIDC trust relationships and npm tokens reachable from a host that installed one of these packages
  4. 4Hunt for __DAEMONIZED=1 in process env or shell history on developer / CI hosts
  5. 5Add stager and payload SHA-256 hashes to EDR allow-blocklists: 638788AFC4F1B5860A328312CAF5895ABD5F5632D28A4F2A85B09076E270D15D (stage 1), 77D92EFE7AF3547F71FD41D4A884872D66B1BE9499EAA637E91EAC866911694D (stage 2)
  6. 6Enforce internal-scope reservation for @opensearch-project, @elastic, and any internal DevOps scope so confusion typosquats lose semver resolution

References

npm-2026-05-28-vpmdhaj-opensearch-typosquats