A supply chain attack targeting the npm ecosystem has been discovered, with malicious actors deploying typosquatted packages designed to steal sensitive credentials from developers. The attack specifically targets teams working with OpenSearch, ElasticSearch, and DevOps infrastructure by distributing packages with names that closely resemble legitimate libraries.

The attackers created packages with deceptive names such as opensearch-setup and elastic-opensearch-helper, deliberately choosing identifiers that developers might install by mistake or through autocomplete suggestions. To enhance their credibility, these malicious packages included false links to the official OpenSearch GitHub repository, making them appear as authentic tools to unsuspecting developers during quick security reviews.

Once installed, the malicious code executes to exfiltrate cloud credentials and CI/CD pipeline secrets from the infected development environment. These stolen credentials could grant attackers access to cloud infrastructure, continuous integration systems, and deployment pipelines. The coordinated nature of the campaign suggests organized threat actors with specific knowledge of developer workflows and the tools commonly used in modern DevOps environments.

The impact extends beyond individual developer machines to potentially compromise entire organizational infrastructure. Stolen CI/CD secrets could allow attackers to inject malicious code into production systems, while cloud credentials might provide access to sensitive data stores, compute resources, and configuration management systems. Any organization using OpenSearch or ElasticSearch in their technology stack faces potential exposure if developers inadvertently installed these packages.

Development teams should immediately audit their npm dependencies for suspicious packages matching these naming patterns. Organizations must rotate all cloud credentials and CI/CD secrets that may have been exposed, review access logs for unauthorized activity, and implement stricter package verification processes. Security teams should consider deploying automated tools to detect typosquatting attempts and establish policies requiring manual verification of new dependencies before installation in production environments.

Source: https://gbhackers.com/typosquatted-npm-packages/