Malicious npm packages that steal developer secrets.

On May 28, one actor published 14 npm packages with names a few characters off from real OpenSearch and config libraries. Install one by mistake and a script runs during installation, before your code does. It collected AWS credentials, HashiCorp Vault tokens, and the tokens a build system uses to publish packages.

The packages did not exploit a bug. npm runs a package's setup commands the moment it installs, and that hook is where the theft happened. A typo in a dependency name handed over a machine's secrets.

The exposure is what a developer laptop holds. Cloud keys, signing tokens, and publish access sit where an install script can read them, so one careless dependency reaches all of it.