vpmdhaj npm OpenSearch Typosquats Steal Cloud and CI/CD Secrets

Executive Summary

Microsoft Threat Intelligence reported a 14-package npm typosquat cluster under the vpmdhaj scope on May 28, 2026 [Source 1]. The packages impersonated OpenSearch, AWS SDK, STS, and Bun-adjacent names, then attempted to collect cloud and CI/CD credentials from developer and build environments [Source 1].

The strongest public indicators are the package names, the known malicious version pairs for @vpmdhaj/opensearch-setup and @vpmdhaj/elastic-helper, the SHA-256 values published by Microsoft, and exfiltration to aab.sportsontheweb[.]net over /api/b [Source 1]. The npm maintainer and package pages are useful for historical scoping and takedown confirmation, but Microsoft’s writeup is the primary source for behavior and IOCs [Source 2] [Source 3].

Treat a confirmed install or execution in a CI runner, release job, developer workstation, or container build as credential exposure. The package set targeted AWS metadata and credential-provider flows, GitHub Actions OIDC request material, npm tokens, Vault tokens, Kubernetes service accounts, SSH keys, and local cloud configuration files [Source 1] [Source 6].

Key Facts

event_type: "npm typosquat credential theft cluster"
ecosystem: "npm, node, bun, ci-cd, cloud"
publisher_scope: "vpmdhaj"
affected_packages:
  - "@vpmdhaj/opensearch-setup"
  - "@vpmdhaj/elastic-helper"
  - "@vpmdhaj/aws-compat"
  - "@vpmdhaj/aws-credential-provider-env"
  - "@vpmdhaj/aws-credential-provider-http"
  - "@vpmdhaj/aws-sdk-client-opensearch"
  - "@vpmdhaj/aws-sdk-client-sts"
  - "@vpmdhaj/aws-sdk-credential-provider-node"
  - "@vpmdhaj/aws-sdk-types"
  - "@vpmdhaj/bun"
  - "@vpmdhaj/opensearch"
  - "@vpmdhaj/opensearch-project"
  - "@vpmdhaj/opensearch-js"
  - "@vpmdhaj/sts-client"
known_malicious_versions:
  "@vpmdhaj/opensearch-setup":
    - "1.0.9102"
    - "1.0.9103"
  "@vpmdhaj/elastic-helper":
    - "1.0.7267"
    - "1.0.7268"
    - "1.0.7269"
    - "1.0.7270"
credential_targets:
  - "AWS environment, container, metadata, and web identity credentials"
  - "GitHub Actions OIDC request token material"
  - "npm tokens and npmrc credentials"
  - "Vault tokens"
  - "Kubernetes service account tokens"
  - "SSH keys and local cloud configuration files"
network_iocs:
  - "aab.sportsontheweb[.]net"
  - "www.sportsontheweb[.]net"
path_iocs:
  - "/api/b"
sha256:
  - "a39155771e93e65b05195c8a705dfc03aa85c2ec682505f0d557233a8f275145"
  - "9d962ed605bb4a39991f8fab9b1d2e423ea4d545f23fd44d9473a6423d94bbf"
canonical_source: "https://www.microsoft.com/en-us/security/blog/2026/05/28/typosquatted-npm-packages-used-steal-cloud-ci-cd-secrets/"

Source Confidence & Evidence Mapping

• confirmed: Microsoft identified the vpmdhaj package set, credential theft behavior, exfiltration endpoint, file hashes, and remediation guidance [Source 1].
• confirmed: npm lifecycle scripts can execute during install flows when package manager configuration permits them, which makes package installation itself a relevant execution path to investigate [Source 4].
• confirmed: Bun is a JavaScript runtime and package/tooling context that defenders should include when investigating packages that impersonate Bun-related names or are executed through Bun workflows [Source 5].
• confirmed: AWS metadata and credential provider endpoints are high-value targets because they can return temporary credentials to properly authorized workloads [Source 6].
• unclear: Public sources do not provide a complete package-version matrix for every package in the cluster. The exact ranges should be recovered from package-lock history, private registry mirrors, package caches, or npm audit logs.
• not_observed: Public sources do not currently prove compromise of legitimate OpenSearch, AWS SDK, STS, or Bun packages.

Impact Determination

Classification	Criteria	Required evidence	Handling decision
Confirmed compromise	A vpmdhaj package was installed or executed and credential collection or exfiltration indicators are observed.	Lockfile or package cache hit plus process, network, shell, CI, proxy, EDR, or CloudTrail evidence for the same environment.	Isolate the host or runner, preserve artifacts, rotate reachable credentials from a clean environment, and review downstream account activity.
Presumed exposed	A vpmdhaj package is present in a CI runner, release job, developer environment, container build, or package cache, but runtime telemetry is incomplete.	Manifest, lockfile, package-manager log, npm cache, private registry, or image layer evidence.	Treat secrets reachable from the environment as exposed unless negative telemetry proves non-execution and no lifecycle script execution.
Potentially exposed	A repository references OpenSearch, AWS SDK, STS, or Bun dependencies and package resolution history is missing.	Dependency manifests, lockfiles, private registry logs, npm proxy logs, CI job histories, and package-manager cache exports.	Reconstruct package resolution and execution before narrowing scope.
Not exposed	No package names, versions, hashes, domains, exfiltration paths, or credential marker behavior appear in dependency, cache, runtime, network, or audit evidence.	Negative search across repositories, package caches, runners, images, proxy logs, EDR telemetry, and cloud audit logs.	Preserve negative evidence and enforce package namespace and lifecycle-script controls.
Unknown	Required dependency, package-cache, runner, endpoint, proxy, or cloud telemetry is unavailable.	Named telemetry gap with owner, system, and retention window.	Keep credentials reachable from the environment in scope until evidence is recovered or risk owners accept rotation as closure.

Minimum Evidence To Collect

dependency_evidence:
  - "package.json, package-lock.json, npm-shrinkwrap.json, pnpm-lock.yaml, yarn.lock, bun.lock, bun.lockb"
  - "private npm proxy and registry access logs"
  - "npm, npx, pnpm, yarn, bun, and CI package install logs"
runtime_evidence:
  - "process command lines for npm, npx, node, bun, postinstall, and lifecycle scripts"
  - "network logs for aab.sportsontheweb[.]net, www.sportsontheweb[.]net, and /api/b"
  - "file access telemetry for .aws/config, .aws/credentials, .vault-token, npmrc files, SSH keys, and Kubernetes service account tokens"
cloud_evidence:
  - "AWS CloudTrail GetCallerIdentity, AssumeRole, AssumeRoleWithWebIdentity, and unusual session activity"
  - "GitHub Actions OIDC token request logs and workflow run histories"
  - "npm token creation, use, publish, and revocation logs"

Timeline

• 2026-05-28: Microsoft published the analysis and IOCs for the vpmdhaj typosquat cluster [Source 1].
• 2026-05-28: Microsoft stated that the 14 malicious packages were removed from npm and that affected users should rotate exposed credentials [Source 1].
• 2026-05-29: This Halting Problems packet was added after dedupe confirmed no existing local post covered the vpmdhaj package set, aab.sportsontheweb[.]net, or the published hashes.

What Happened

The actor created npm packages under the vpmdhaj scope with names close to packages and concepts a cloud or OpenSearch user might expect to install. Microsoft’s package list includes OpenSearch-themed names, AWS credential provider and STS-themed names, and a Bun-themed package [Source 1].

The payload behavior was credential oriented. Microsoft reported collection logic for environment variables, AWS credential sources, GitHub Actions OIDC request material, npm credentials, Vault tokens, Kubernetes service account tokens, SSH material, and local cloud configuration files [Source 1]. That makes the blast radius different from a simple developer workstation compromise: the same install in a CI runner may expose deployment credentials, cloud role sessions, registry tokens, and release automation paths.

Exfiltration used aab.sportsontheweb[.]net with the /api/b path, and Microsoft published two SHA-256 values for associated artifacts [Source 1]. In human-facing material, keep the domains defanged; use the machine-readable event profile and the audit script when exact matching is required.

Technical Analysis

Package and Registry Abuse

registry: "npm"
scope: "vpmdhaj"
impersonated_areas:
  - "OpenSearch client and setup packages"
  - "AWS SDK and credential provider packages"
  - "AWS STS client packages"
  - "Bun runtime/tooling package naming"
delivery_paths:
  - "direct npm install"
  - "npx-style ephemeral execution"
  - "CI dependency restore"
  - "container build dependency install"
  - "Bun workflow dependency install or execution"

The public evidence does not show compromise of the real upstream projects. The risk is dependency confusion by name, typo, or malicious copycat package selection under an attacker-controlled npm scope [Source 1] [Source 2] [Source 3].

Execution Triggers

npm lifecycle scripts are a key collection point because package scripts can run during install-related flows unless disabled or blocked by policy [Source 4]. Bun also belongs in the scoping plan because Microsoft included a Bun-themed package name and Bun can execute JavaScript package workflows in environments that may not leave npm-style process names in telemetry [Source 1] [Source 5].

Credential Collection

The cluster’s collection logic should be scoped as a multi-secret incident, not a single AWS-key event. Microsoft called out AWS credential flows, GitHub Actions OIDC request variables, npm credentials, Vault token material, Kubernetes service account files, local cloud configuration paths, and SSH material [Source 1]. AWS metadata services and container credential endpoints are especially sensitive because successful access can return temporary workload credentials [Source 6].

Exfiltration

domains:
  - "aab.sportsontheweb.net"
  - "www.sportsontheweb.net"
urls:
  - "https://aab.sportsontheweb.net/api/b"
http_headers:
  - "x-forwarded-host"
hashes_sha256:
  - "a39155771e93e65b05195c8a705dfc03aa85c2ec682505f0d557233a8f275145"
  - "9d962ed605bb4a39991f8fab9b1d2e423ea4d545f23fd44d9473a6423d94bbf"

Affected Assets and Blast Radius

affected_assets:
  ecosystems:
    - "npm"
    - "Node.js"
    - "Bun"
    - "AWS"
    - "GitHub Actions"
    - "Vault"
    - "Kubernetes"
  environments:
    - "developer workstations"
    - "CI runners"
    - "release automation"
    - "container builds"
    - "private package mirrors"
    - "package-manager caches"
  secret_material:
    - "AWS access keys and temporary credentials"
    - "AWS web identity and container credentials"
    - "GitHub Actions OIDC request tokens"
    - "npm tokens"
    - "Vault tokens"
    - "Kubernetes service account tokens"
    - "SSH private keys"
    - "local cloud config files"
not_currently_known_to_affect:
  - "legitimate OpenSearch packages"
  - "legitimate AWS SDK packages"
  - "legitimate Bun releases"

Indicators of Compromise

packages:
  - "@vpmdhaj/opensearch-setup"
  - "@vpmdhaj/elastic-helper"
  - "@vpmdhaj/aws-compat"
  - "@vpmdhaj/aws-credential-provider-env"
  - "@vpmdhaj/aws-credential-provider-http"
  - "@vpmdhaj/aws-sdk-client-opensearch"
  - "@vpmdhaj/aws-sdk-client-sts"
  - "@vpmdhaj/aws-sdk-credential-provider-node"
  - "@vpmdhaj/aws-sdk-types"
  - "@vpmdhaj/bun"
  - "@vpmdhaj/opensearch"
  - "@vpmdhaj/opensearch-project"
  - "@vpmdhaj/opensearch-js"
  - "@vpmdhaj/sts-client"
versions:
  - "@vpmdhaj/opensearch-setup@1.0.9102"
  - "@vpmdhaj/opensearch-setup@1.0.9103"
  - "@vpmdhaj/elastic-helper@1.0.7267"
  - "@vpmdhaj/elastic-helper@1.0.7268"
  - "@vpmdhaj/elastic-helper@1.0.7269"
  - "@vpmdhaj/elastic-helper@1.0.7270"
domains:
  - "aab.sportsontheweb[.]net"
  - "www.sportsontheweb[.]net"
paths:
  - "/api/b"
hashes_sha256:
  - "a39155771e93e65b05195c8a705dfc03aa85c2ec682505f0d557233a8f275145"
  - "9d962ed605bb4a39991f8fab9b1d2e423ea4d545f23fd44d9473a6423d94bbf"
environment_markers:
  - "NPX_ISOLATED_ENVIRONMENT"
  - "AWS_CONTAINER_CREDENTIALS_FULL_URI"
  - "AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"
  - "AWS_CONTAINER_AUTHORIZATION_TOKEN"
  - "AWS_WEB_IDENTITY_TOKEN_FILE"
  - "ACTIONS_ID_TOKEN_REQUEST_URL"
  - "ACTIONS_ID_TOKEN_REQUEST_TOKEN"
  - "NPM_TOKEN"
  - "VAULT_TOKEN"

Detection and Hunting

Run the repo and telemetry scanner against source trees, package caches, build logs, CI exports, container build contexts, and optional CloudTrail JSON:

python3 scripts/threat-posts/vpmdhaj_npm_audit.py /path/to/repos /path/to/logs --cloudtrail /path/to/cloudtrail --out vpmdhaj-findings.json

The script exits 2 when it finds matching indicators so it can fail a CI audit job or create an incident queue item. It searches for the exact package names, known versions, Microsoft-published SHA-256 values, exfiltration domains, Bun execution context, credential marker variables, AWS/GitHub Actions/npm/Vault/Kubernetes collection paths, and CloudTrail identity events.

Repository and Lockfile Queries

rg -n "@vpmdhaj/(opensearch-setup|elastic-helper|aws-|bun|opensearch|sts-client)" package.json package-lock.json npm-shrinkwrap.json pnpm-lock.yaml yarn.lock bun.lock bun.lockb
rg -n "a39155771e93e65b05195c8a705dfc03aa85c2ec682505f0d557233a8f275145|9d962ed605bb4a39991f8fab9b1d2e423ea4d545f23fd44d9473a6423d94bbf" .

Network and Proxy Queries

index=proxy OR index=dns earliest=2026-05-01
("aab.sportsontheweb.net" OR "www.sportsontheweb.net" OR "/api/b")
| stats earliest(_time) as firstSeen latest(_time) as lastSeen values(user) values(src_ip) values(url) by host

DeviceNetworkEvents
| where Timestamp >= datetime(2026-05-01)
| where RemoteUrl has_any ("aab.sportsontheweb.net", "www.sportsontheweb.net") or RemoteUrl has "/api/b"
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp), Urls=make_set(RemoteUrl), Processes=make_set(InitiatingProcessCommandLine) by DeviceName, InitiatingProcessAccountName

CI and Cloud Downstream Abuse Checks

gh api /orgs/ORG/actions/runs --paginate --jq '.workflow_runs[] | select(.created_at >= "2026-05-01") | [.id,.name,.head_repository.full_name,.created_at,.event] | @tsv'
aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=AssumeRoleWithWebIdentity --start-time 2026-05-01T00:00:00Z
aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=GetCallerIdentity --start-time 2026-05-01T00:00:00Z

Replace ORG with the organization being audited. A positive package hit in a runner should trigger review of the runner’s reachable AWS roles, GitHub environments, npm tokens, Vault paths, Kubernetes clusters, and deployment targets.

Remediation and Recovery

1. Remove all @vpmdhaj/* dependencies and clear package-manager caches, private registry mirrors, CI caches, and container layers that contain the packages.
2. Rebuild affected artifacts from clean dependency locks and with npm lifecycle scripts disabled unless explicitly required.
3. Rotate AWS keys and sessions, GitHub Actions secrets and OIDC trust assumptions, npm automation tokens, Vault tokens, Kubernetes service account tokens, SSH keys, and any deployment credentials reachable from matching environments.
4. Review CloudTrail, GitHub audit logs, npm publish/access logs, Vault audit logs, Kubernetes audit logs, and proxy logs for follow-on use after the first package hit.
5. Add namespace deny rules for @vpmdhaj/*, require dependency review on new scoped packages, and alert on package manager execution from release and deployment jobs.

Open Questions

• Public sources do not provide every version for every package in the cluster.
• Public sources do not identify victim organizations or downstream account abuse.
• Removed npm package tarballs may require package caches, private mirrors, or forensic disk images for deeper artifact diffing.

Sources

1. Microsoft Threat Intelligence: Typosquatted npm packages used to steal cloud and CI/CD secrets
2. npm maintainer profile: vpmdhaj
3. npm package page: @vpmdhaj/elastic-helper
4. npm CLI documentation: scripts
5. Bun documentation: runtime
6. AWS documentation: Instance metadata and user data