Malicious npm packages steal cloud secrets
TL;DR: Microsoft has uncovered a software supply chain attack using typosquatted npm packages to steal cloud and CI/CD credentials. The attack uses npm lifecycle hooks for execution and abuses the legitimate Bun runtime as a loader to deploy credential-stealing malware, targeting developers and their environments.
Key facts
- Category
- Cybersecurity
- Impact
- Critical
- Published
- Source
- Microsoft Security
Full summary
A new supply chain attack uses typosquatted npm packages to steal cloud and CI/CD credentials by abusing legitimate developer tools like Bun.
Microsoft has identified a sophisticated supply chain attack targeting the npm ecosystem. Attackers published malicious packages that mimic legitimate ones through typosquatting and spoofed metadata. Once a developer installs one of these packages, the attack is triggered automatically using npm's lifecycle hooks, such as post-install scripts. This initial step downloads a first-stage payload, which then cleverly abuses the legitimate Bun JavaScript runtime. The Bun runtime is used as a loader to fetch and execute the final credential-stealing malware, a technique designed to evade common security checks by hiding within a trusted tool's processes.
The primary goal of this campaign is to steal sensitive credentials from developer environments and continuous integration/continuous deployment (CI/CD) pipelines. This includes secrets for cloud platforms like AWS, Google Cloud, and Azure, as well as tokens for services like GitHub. By gaining access to these credentials, attackers can compromise critical infrastructure, exfiltrate data, and move laterally across an organization's network. The attack's blast radius is significant, as a single compromised developer machine or CI/CD runner can provide a gateway to an entire cloud environment. This incident underscores the vulnerability of software supply chains and the importance of securing every stage of the development lifecycle.
Why it matters
This attack highlights the increasing sophistication of software supply chain threats. By compromising a single developer or CI/CD pipeline, attackers can gain access to an organization's most critical cloud infrastructure, making this a high-impact threat for any company building software.
Business impact
A breach originating from a compromised npm package can lead to significant financial and reputational damage. Stolen cloud credentials can result in data exfiltration, service disruption, and unauthorized infrastructure usage, leading to costly remediation efforts and loss of customer trust.
⚡ Action needed
Action is required to secure your development environments and CI/CD pipelines against this type of supply chain attack.
Action checklist
- 1Audit your project dependencies for typosquatted or suspicious packages.
- 2Use the `--ignore-scripts` flag during `npm install` to prevent automatic script execution.
- 3Implement strict access controls and credential management for CI/CD environments.
- 4Scan development environments and build servers for indicators of compromise.
- 5Educate development teams on the risks of typosquatting and supply chain attacks.
Tags
Related on Notifire
Primary source: Microsoft Security