vpmdhaj OpenSearch / ElasticSearch / DevOps typosquat burst (14 npm packages, Bun stager → cloud + CI/CD secret theft)
Microsoft Threat Intelligence flagged 14 typosquat npm packages published on 2026-05-28 by a single new maintainer alias vpmdhaj (a39155771@gmail.com) in a ~4-hour window. Install-time stager pulls a ~195KB Bun-compiled credential harvester from aab.sportsontheweb[.]net/x.php (X-Supply: 1 header) and exfiltrates AWS, HashiCorp Vault, GitHub Actions and npm publish tokens.
- Detected by
- Microsoft Threat Intelligence
- Also known as
- vpmdhaj burst · sportsontheweb.net campaign
- Ecosystems
- npm
- Packages tracked
- 14
What happened
Microsoft Threat Intelligence published an analysis on 2026-05-28 of a focused npm typosquat burst by a single newly-created maintainer account vpmdhaj (a39155771@gmail.com). Within ~4 hours on 2026-05-28 the actor pushed 14 packages — 4 scoped under @vpmdhaj/*, 10 unscoped — that impersonate well-known OpenSearch, ElasticSearch, DevOps, and environment-configuration libraries, with several spoofing the upstream opensearch-project GitHub URL in their package.json to look legitimate to a reviewer skimming metadata.
The scoped tranche (@vpmdhaj/elastic-helper, @vpmdhaj/devops-tools, @vpmdhaj/opensearch-setup, @vpmdhaj/search-setup) landed first at versions in the 1.0.7267–1.0.7269 range as test releases. The unscoped tranche followed in a ~30-minute burst at 2026-05-28T20:17–2026-05-28T21:03 UTC, all stamped with high build numbers (1.0.9100–1.0.9300, plus 2.1.9201 for env-config-manager) so they would outrank legitimate releases in semver resolution. npm unpublished every malicious version listed on 2026-05-29 within hours of detection; the publisher account was suspended.
The payload chain is a two-stage Bun loader. The postinstall hook downloads a small JS stager (SHA-256 638788AFC4F1B5860A328312CAF5895ABD5F5632D28A4F2A85B09076E270D15D) over HTTP from aab.sportsontheweb[.]net/x.php on port 80, carrying the marker header X-Supply: 1. The stager pulls a ~195KB Bun-compiled stage-2 (SHA-256 77D92EFE7AF3547F71FD41D4A884872D66B1BE9499EAA637E91EAC866911694D), spawns it as a detached process with __DAEMONIZED=1 so it outlives the npm install, and walks the host for AWS credentials (IMDS, ECS task role, Secrets Manager), HashiCorp Vault tokens, GitHub Actions OIDC and GitHub PATs, and npm publish tokens. The harvester is purpose-built for cloud and CI/CD environments — there is no crypto-wallet logic — which together with the npm-token theft suggests the operator is staging tokens for a downstream worm wave.
- The Bun runtime + cloud/Vault/CI focus mirror the Mini Shai-Hulud TeamPCP family (TanStack 2026-05-11, durabletask 2026-05-19, AntV 2026-05-19), but Microsoft does NOT attribute
vpmdhajto TeamPCP — different infrastructure, different stager hash, different aliases, and no worm propagation observed yet in the 24h after publish. Treat the toolchain similarity as a tradecraft signal, not a hard link. - No GHSA advisories are published yet (as of 2026-05-31 ingest); confirmation comes from Microsoft Defender detections (
Trojan:JS/ObfusNpmJsfamily) and direct npm registry verification of the unpublish entries for the 10 unscoped names. - Scoped
@vpmdhaj/*versions are sourced from the Microsoft blog; the npm registry returns empty manifests for those names today, consistent with a hard delete rather than an unpublish. - This burst landed the same day as the
mr.4nd3r50n/t-in-oneoob.moika.techdependency-confusion campaign tracked separately innpm-2026-05-28-moika-dependency-confusion.ts; the two are unrelated (different infrastructure, different aliases, different payloads) but together demonstrate sustained Russian-language actor activity against npm on 2026-05-28.
Affected packages (14)
- npm
@vpmdhaj/devops-tools1.0.7267 - npm
@vpmdhaj/elastic-helper1.0.7269 - npm
@vpmdhaj/opensearch-setup1.0.7267 - npm
@vpmdhaj/search-setup1.0.7268 - npm
app-config-utility1.0.92001.0.9300 - npm
elastic-opensearch-helper1.0.72651.0.91031.0.91041.0.91051.0.91061.0.91071.0.9108 - npm
env-config-manager2.1.9201 - npm
opensearch-config-utility1.0.72651.0.91041.0.91051.0.9106 - npm
opensearch-security-scanner1.0.81.0.91.0.10 - npm
opensearch-setup1.0.90001.0.91001.0.91011.0.91021.0.9103 - npm
opensearch-setup-tool1.0.72651.0.91061.0.91071.0.9108 - npm
search-cluster-setup1.0.72651.0.91021.0.91031.0.9104 - npm
search-engine-setup1.0.72651.0.91051.0.91061.0.91071.0.9108 - npm
vpmdhaj-opensearch-setup1.0.91011.0.9102
Impact
- AWS credential theft: IMDS, ECS task role, Secrets Manager
- HashiCorp Vault tokens lifted from
~/.vault-tokenandVAULT_TOKENenv - GitHub Actions OIDC and
GITHUB_TOKENextracted from runner env - npm publish tokens stolen — primary worm propagation vector for follow-on bursts
- Bun-compiled ~195KB stage-2 payload runs as detached process with
__DAEMONIZED=1to survivenpm installexit
What to do
- 1Audit
package.json, lockfiles and CI caches for the 14 names below; npm has unpublished every malicious version listed but cached copies in CI may persist - 2Block egress to
aab.sportsontheweb[.]netand hunt for outbound HTTP requests carryingX-Supply: 1 - 3Rotate any AWS access keys, ECS task role credentials, Vault tokens, GitHub PATs, OIDC trust relationships and npm tokens reachable from a host that installed one of these packages
- 4Hunt for
__DAEMONIZED=1in process env or shell history on developer / CI hosts - 5Add stager and payload SHA-256 hashes to EDR allow-blocklists:
638788AFC4F1B5860A328312CAF5895ABD5F5632D28A4F2A85B09076E270D15D(stage 1),77D92EFE7AF3547F71FD41D4A884872D66B1BE9499EAA637E91EAC866911694D(stage 2) - 6Enforce internal-scope reservation for
@opensearch-project,@elastic, and any internal DevOps scope so confusion typosquats lose semver resolution