Lone attacker published 14 malicious NPM packages
A lone attacker published 14 malicious npm packages that mimicked popular libraries related to OpenSearch and Elasticsearch. These packages were designed to steal cloud credentials and CI/CD pipeline secrets. Microsoft has since removed the malicious packages and advised users to rotate their tokens to mitigate potential exposure.
- ▪The attacker used a newly created maintainer alias to publish the malicious packages within a four-hour window.
- ▪All packages included a credential harvester payload specifically targeting cloud environments.
- ▪The attacker employed typosquatting and lookalike naming to trick users into installing the malicious packages.
Opening excerpt (first ~120 words) tap to expand
(function() { let windowUrl = window.location.href; windowUrl = windowUrl.substring(windowUrl.indexOf('?') + 1); let messageElement = document.querySelector('.shareableMessage'); if (windowUrl && windowUrl.includes('code') && windowUrl.includes('expires')) { messageElement.style.display = 'block'; } })(); Security Lone attacker published 14 malicious npm packages mimicking popular OpenSearch, Elasticsearch libraries And then Microsoft busted them all Jessica Lyons Jessica Lyons Published fri 29 May 2026 // 22:46 UTC A single npm user on Thursday published 14 malicious packages within a four-hour window, all mimicking popular OpenSearch, Elasticsearch, DevOps, and environment-configuration libraries, according to Microsoft.It’s the latest in a seemingly never-ending string of supply chain…
Excerpt limited to ~120 words for fair-use compliance. The full article is at theregister.