The “Gen-2” Loader: How Malicious NPM Packages Are Evading Detection to Steal Your Secrets

A highly coordinated supply chain attack has been identified targeting the DevOps ecosystem, specifically focusing on developers utilizing OpenSearch, Elasticsearch, and various CI/CD orchestration tools. Unlike generic malware, this campaign is surgically designed to exfiltrate high-value cloud credentials and CI/CD secrets, providing attackers with a direct pathway into production environments.

The threat actor employs advanced deception techniques to bypass human scrutiny. By utilizing typosquatting—creating packages with names like opensearch-setup and elastic-opensearch-helper—and embedding spoofed metadata that links to official OpenSearch GitHub repositories, the attacker builds a facade of legitimacy. To further mimic established software, the malicious packages are published with unnaturally high version numbers, tricking developers into believing they are installing mature, widely-vetted libraries.

The infection vector is purely automated. Upon execution of npm install, the malicious code triggers via npm lifecycle hooks (specifically the preinstall script). This allows for immediate, silent execution the moment a dependency is fetched, requiring zero user interaction once the installation command is issued.

Two-Stage Execution Architecture

The attack has evolved through two distinct technical iterations to evade modern security monitoring.

Stage 1: The Information Stager
In the initial version, a JavaScript-based stager acts as a reconnaissance agent. It harvests critical system telemetry—including hostname, operating system architecture, Node.js runtime versions, and a comprehensive dump of environment variables. This data is transmitted to a remote Command-and-Control (C2) server via a unique HTTP header: X-Supply: 1. This header serves as a primary forensic indicator for network defenders.

Stage 2: The Bun-Based Payload
According to research published by Microsoft, the attacker (identified as “vpmdhaj”) transitioned to a more stealthy “Gen-2” loader. This version eliminates the noisy initial C2 round-trip. Instead, it dynamically fetches the legitimate Bun runtime from GitHub. It then uses this runtime to execute a compact, Bun-compiled binary payload embedded directly within the npm package. By leveraging a legitimate runtime, the attacker effectively masks malicious activity under the guise of standard runtime operations.

Analysis of inflated versioning and spoofed repository links in npm packages.
Analysis of inflated versioning and spoofed repository links in npm packages (Source: Microsoft).

Targeted Credential Harvesting and Persistence

The second-stage payload is a precision tool designed for deep cloud penetration. Its primary objectives include:

  • AWS Exploitation: The malware scrapes AWS credentials from environment variables and performs automated queries against the EC2 Instance Metadata Service (IMDS) and ECS task metadata endpoints. It also attempts to enumerate sensitive data within AWS Secrets Manager across multiple geographic regions.
  • Identity Hijacking: The payload targets HashiCorp Vault tokens and validates npm publish tokens. The latter is particularly dangerous, as it allows attackers to hijack a maintainer’s account to push malicious updates to legitimate, widely-used packages.
  • CI/CD Compromise: GitHub Actions secrets are targeted to facilitate lateral movement within automated build pipelines.

To ensure longevity, the malware implements a persistence mechanism where the malicious module re-executes its payload every time it is imported into an application’s codebase. This allows the infection to persist across different development cycles and throughout various stages of the CI/CD pipeline.

Gen-2 loader architecture.
The Gen-2 stealth loader architecture (Source: Microsoft).

Incident Response and Mitigation Strategies

While the identified malicious packages have been purged from the npm registry, the risk remains for any environment that ingested these dependencies after May 28, 2026. Security teams should immediately implement the following:

  1. Audit & Rotate: Perform a comprehensive audit of dependency lock files. Immediately rotate all exposed secrets, specifically AWS IAM roles, HashiCorp Vault tokens, npm publish tokens, and GitHub Actions secrets.
  2. Runtime Defense: Monitor network logs for the X-Supply: 1 HTTP header. Review CloudTrail logs for anomalous API activity, such as unexpected cross-region secret access or rapid role assumptions.
  3. Development Hardening: Consider using the --ignore-scripts flag during npm installations in sensitive environments to prevent lifecycle hook execution.

Indicators of Compromise (IOC)

Typosquat – ElasticSearch/OpenSearch helperTyposquat – DevOps tools / OpenSearch setupTyposquat – OpenSearch setup utilityUnscoped lookalike – Spoofs official repo URLUnscoped lookalike – Spoofs official repo URLTyposquat – dotenv-style config managerTyposquat – Generic app config utility

Indicator (Package Name) Type
@vpmdhaj/elastic-helper (1.0.7269) Package
@vpmdhaj/devops-tools (1.0.67) Package
@vpmdhaj/opensearch-setup (1.0.67) Package
opensearch-setup (1.0.9103) Package
elastic-opensearch-helper (1.0.9108) Package
env-config-manager (2.1.9201) Package
app-config-utility (1.0.9300) Package

 

Related Articles

Back to top button