Find notable cyber news and cases, enriched with sources, timelines, and signals.

Vpmdhaj npm preinstall credential-harvest campaign

Campaign
First reported
Last updated
Happening score
H score 40
1 unique sources, 1 articles

Summary

Hide ▲

A new vpmdhaj supply-chain campaign has surfaced in 14 malicious npm packages that use a preinstall credential harvester to steal AWS credentials, HashiCorp Vault tokens, npm tokens, and CI/CD secrets from developer hosts. The packages were published on May 28, 2026 and were built to look like legitimate developer tooling. That turns ordinary installs into a high-risk entry point for downstream compromise and secret theft.

Related Happenings

Malicious npm and PyPI payment SDK typosquat packages

Malware Activity
H score40 First: 09.07.2026 18:09 Last: 09.07.2026 18:09 Sources 1

About this happening: The **17 malicious npm and PyPI packages** targeted **Paysafe, Skrill, and Neteller SDKs** to steal **system information** and **developer secrets**, then send the data to an **Ng...

Malicious npm and PyPI Paysafe, Skrill, and Neteller SDK packages delivering stealer malware

Malware Activity
H score37 First: 08.07.2026 22:54 Last: 08.07.2026 22:54 Sources 1

About this happening: Malicious **npm** and **PyPI** packages impersonating **Paysafe**, **Skrill**, and **Neteller** SDKs delivered **stealer malware** that siphoned secrets from developer environment...

Rollup polyfill npm package malware activity for remote access and data theft

Malware Activity
H score16 First: 03.07.2026 19:07 Last: 03.07.2026 19:07 Sources 1

About this happening: **Malicious npm packages** disguised as **Rollup polyfill tooling** are now delivering **remote-access and data-theft payloads** to developer workstations and build machines. The...

Hijacked npm and Go packages deploying Python infostealer via VS Code auto-run tasks

Malware Activity
H score30 First: 29.06.2026 08:36 Last: 29.06.2026 08:36 Sources 1

About this happening: Hijacked **npm** and **Go** packages now deliver a **Python infostealer** through a hidden **VS Code auto-run task**, putting developer machines and credentials at risk across **W...

Mastra @mastra/* npm packages hit by network compromise

Incident
H score47 First: 17.06.2026 10:38 Last: 17.06.2026 10:38 Sources 1

About this happening: **Mastra** @mastra/* npm packages were **compromised** in a **software supply chain attack** that spread through the namespace on **2026-06-17**. Microsoft now attributes the acti...

Latest development: 20.06.2026 17:09

Microsoft attributed the Mastra AI supply chain attack to Sapphire Sleet, also known as BlueNoroff, and said the attackers compromised the npm maintainer account ehindero, which had publishing privileges across the Mastra package environment. The June 19 update said more than 140 packages in the @mastra scope were modified to inject easy-day-js.

Timeline

  1. 29.05.2026 12:11 2 articles · 1mo ago

    vpmdhaj publishes 14 malicious npm packages that harvest developer secrets

    Initial Disclosure

    A threat actor using the handle vpmdhaj published 14 malicious npm packages on May 28, 2026, using typosquatted names that resemble OpenSearch, ElasticSearch, DevOps, and environment-configuration tooling. The packages launch a purpose-built credential harvester through a preinstall hook to steal AWS credentials, HashiCorp Vault tokens, npm tokens, and CI/CD pipeline secrets from developer hosts.

    Show sources