npm Typosquats Put Cloud Secrets at Risk (5.29)

Table of contents

• Overview
• Microsoft Finds 14 npm Typosquats Built to Steal Cloud Secrets
• Exposed AI-Built Apps Expand the Shadow AI Problem
• GREYVIBE Campaign Adds Pressure on Ukraine-Linked Targets
• Malicious Sicoob.Sdk NuGet Versions Target Banking Credentials
• CISA Flags CVE-2026-0257 as Exploited as Marimo Report Shows LLM Post-Compromise Use

Overview

• Microsoft reported an active npm supply-chain campaign in which 14 typosquatted packages sought cloud credentials and CI/CD secrets.
• feeds.feedburner.com described exposed AI-built applications as a broader form of shadow AI that can move unmanaged code into production.
• feeds.feedburner.com reported that GREYVIBE, a previously undocumented Russian-linked actor, has targeted Ukraine-related entities since at least August 2025.
• feeds.feedburner.com reported that malicious Sicoob.Sdk NuGet versions 2.0.0 through 2.0.4 attempted to steal banking-related credentials.
• cisa.gov added CVE-2026-0257 to the KEV catalog, while a separate report tied CVE-2026-39987 exploitation to post-compromise use of a large language model agent.

Microsoft Finds 14 npm Typosquats Built to Steal Cloud Secrets

Microsoft reported that a newly created maintainer alias, vpmdhaj, published 14 malicious npm packages within a four-hour window on May 28, 2026. The packages imitated OpenSearch, ElasticSearch, DevOps, and environment-configuration libraries, a pattern that placed the campaign squarely in the software supply-chain risk category.

The security significance is practical rather than theoretical. According to microsoft.com, the packages harvested AWS credentials, HashiCorp Vault tokens, and CI/CD pipeline secrets from host environments after installation. That means the blast radius could extend beyond a developer workstation into cloud accounts and build systems.

Microsoft said the packages used npm lifecycle hook abuse and a shared install-time stager. The second-stage payload was a Bun-compiled credential harvester of about 195 KB. The report did not frame the campaign as a vulnerability with a CVE; it described malicious packages that abused trust in package names, metadata, and installation behavior.

Exposed AI-Built Apps Expand the Shadow AI Problem

feeds.feedburner.com reported that shadow AI has moved beyond employees pasting sensitive material into chatbots. The newer risk described in the May 29 report is employees using AI to build full applications, connect them to production systems, and publish them on the open internet without security or IT review.

The report framed the change in simple terms: the artifact moved from a prompt to a product. That shift changes the security model. A prompt leak is serious, but an exposed application can create a persistent attack surface with authentication gaps, hardcoded secrets, weak access controls, and unmanaged data flows.

The report referred to 2,000 exposed vibe-coded applications. The phrase describes applications assembled with heavy AI assistance, often by users who may not follow secure development practices. The security issue is not that AI wrote code; it is that deployment can happen faster than governance, logging, review, and ownership.

GREYVIBE Campaign Adds Pressure on Ukraine-Linked Targets

feeds.feedburner.com reported that a previously undocumented threat actor called GREYVIBE has carried out ongoing attacks against Ukraine and Ukraine-related entities since at least August 2025. The report cited WithSecure's assessment that the group is Russian-speaking and operates broadly in the Russian time zone.

The available evidence links the activity to geopolitical targeting rather than broad cybercrime. The report said the activity aligns with Kremlin state interests, specifically in relation to Ukraine. That does not by itself prove formal state control, but it gives defenders a useful frame for victimology and likely target selection.

The report's title referred to AI-powered cyberattacks, but the provided evidence does not describe specific model use, prompts, payloads, or exploit mechanics. Responsible coverage should keep that boundary clear. The confirmed points are the actor name, the target set, the timeline, and WithSecure's assessment of language, time zone, and interest alignment.

Malicious Sicoob.Sdk NuGet Versions Target Banking Credentials

feeds.feedburner.com reported that researchers found a malicious NuGet package masquerading as a C# software development kit for Sicoob, one of Brazil's largest cooperative financial systems. The package, named Sicoob.Sdk, was described as a credential-stealing package rather than a vulnerability in Sicoob itself.

According to the report, Socket found that versions 2.0.0 through 2.0.4 contained functionality to exfiltrate sensitive information. The data targeted included client IDs and PFX certificates, which can be used in authentication and secure communications.

The same report placed the NuGet finding alongside npm package activity aimed at cloud secrets. Together, the incidents show how attackers are using developer package ecosystems as entry points into higher-value credentials.

CISA Flags CVE-2026-0257 as Exploited as Marimo Report Shows LLM Post-Compromise Use

cisa.gov said it added CVE-2026-0257, a Palo Alto Networks vulnerability, to the Known Exploited Vulnerabilities catalog based on evidence of active exploitation. Under Binding Operational Directive 22-01, Federal Civilian Executive Branch agencies must remediate KEV-listed vulnerabilities by the required due date.

The provided CISA evidence does not include a CVSS score, affected version range, or workaround text. Its main significance is the KEV status itself. KEV inclusion means CISA has evidence that attackers are exploiting the flaw in the wild, making remediation more urgent for exposed environments.

A separate feeds.feedburner.com report described an unknown threat actor using a large language model agent after exploiting CVE-2026-39987 in an internet-reachable Marimo notebook. The report said the attacker extracted two cloud credentials from the compromised environment. It did not provide a CVSS score in the supplied evidence.

In depth

npm supply chain — in depth

This incident fits a familiar supply-chain pattern: attackers do not need to break a registry if they can persuade users or automated workflows to install the wrong package. Typosquatting works because many development environments trust package installation as a routine action. A single misplaced character, copied command, or dependency entry can turn that routine into credential exposure.

The four-hour publication window matters because package campaigns often depend on speed. Short-lived packages can still be pulled into local caches, CI jobs, test environments, or developer machines before takedown. In this case, Microsoft described one maintainer identity and a cluster of packages that shared the same installation logic. That common structure suggests an organized campaign rather than unrelated uploads.

The target set also explains the likely intent. AWS credentials, Vault tokens, and CI/CD secrets are not ordinary endpoint data. They can grant access to infrastructure, deployment workflows, internal services, and production secrets. In many organizations, a compromised build environment can become more damaging than a compromised laptop because it sits near release automation and trusted artifacts.

The immediate mitigation is dependency hygiene. Security teams should review npm installs for the named package cluster described by Microsoft, rotate any exposed cloud or CI/CD credentials, and inspect recent build logs for unusual postinstall activity. Developers should treat newly published packages that imitate popular infrastructure libraries as high-risk until provenance is clear.

There is no CVSS score because this is not a vendor-scored software flaw. It is a malicious package campaign. That distinction affects response: patching a product will not be enough. The defensive work is inventory, removal, token rotation, registry policy, and monitoring for package-install behavior that reaches out to command-and-control infrastructure or reads secrets from the environment.

shadow AI apps — in depth

The pressure behind this trend is easy to understand. AI coding tools reduce the time between idea and working software. That helps teams automate small workflows, dashboards, forms, and internal utilities. It also lowers the barrier for non-engineering teams to publish tools that touch real business data.

Security programs were built around known software paths: repositories, code review, ticketed deployments, approved cloud accounts, and asset inventories. AI-built applications can bypass those paths when employees assemble and deploy them with personal accounts, unmanaged hosting, or copied credentials. Once that happens, the security team may not know the application exists until it is indexed, scanned, abused, or reported.

The operational problem is ownership. If an employee creates an application with AI help and connects it to a production service, who patches it, reviews dependencies, rotates secrets, responds to alerts, and validates access controls? Without that owner, small applications can become orphaned internet-facing systems.

The response should focus on visibility before punishment. Organizations need inventories of externally reachable assets, cloud resources, low-code deployments, and repositories tied to business domains. They also need a sanctioned path for employees to build lightweight tools with guardrails. Blocking all AI-built software may drive the activity further out of view.

For developers and security teams, the practical check is straightforward: identify public endpoints and applications that were not deployed through standard channels, scan them for exposed credentials and authentication gaps, and move legitimate tools into governed environments. The report did not identify a CVE, exploit code, or a single vendor patch. The mitigation is process control, asset discovery, and secure deployment defaults.

GREYVIBE campaign — in depth

The main security lesson is that geopolitical targeting remains a long-running operational problem for organizations connected to Ukraine. The timeline begins no later than August 2025, which suggests persistence rather than a short campaign tied to one news event. Long-running campaigns often depend on repeated access attempts, infrastructure changes, and tailored lures rather than one exploit.

Attribution language also deserves care. WithSecure assessed that GREYVIBE is Russian-speaking and operates broadly in the Russian time zone. Those are indicators, not a complete chain of proof. They support a working hypothesis about the actor's operating environment, but defenders should treat them as context for prioritization rather than as courtroom-level attribution.

For likely targets, the risk is concentrated around organizations with Ukrainian government, defense, humanitarian, media, infrastructure, or partner relationships. Even companies outside Ukraine can become targets if they provide services, logistics, data, or advocacy connected to the conflict.

The practical response is to assume social engineering and credential access remain central risks unless technical reporting proves otherwise. Security teams should review identity logs, harden multifactor authentication, restrict remote access, monitor suspicious mailbox rules, and validate endpoint detections against the tactics described by WithSecure when available.

No CVE, CVSS score, or patchable product flaw appears in the provided evidence for this cluster. That means defenders should not wait for a vendor advisory before acting. The response is threat-informed monitoring, user protection, incident readiness, and review of exposed services used by Ukraine-linked staff or partners.

NuGet credential theft — in depth

This campaign matters because NuGet packages often sit inside trusted enterprise development workflows. A package that appears to be a banking SDK can attract developers who need to integrate financial services. If that package quietly collects identifiers and certificates, the compromise can affect both application security and business authentication flows.

PFX certificates are especially sensitive. They can bundle private keys with certificates and are commonly protected by passwords. If an attacker obtains the file and any related secret, they may be able to impersonate a client, authenticate to services, or weaken trust boundaries that were assumed to be certificate-backed.

The affected version range gives teams a concrete starting point. Any use of Sicoob.Sdk versions 2.0.0 through 2.0.4 should trigger dependency review, build artifact inspection, and credential rotation. That review should include developer machines, CI pipelines, package lock files, artifact repositories, and container images.

The issue is not presented as a CVE with a CVSS score. It is a malicious package finding. Response should therefore look more like incident containment than normal patch management. Remove the package, identify where it ran, determine which credentials it could access, rotate exposed client IDs and certificates, and monitor for suspicious authentication attempts tied to those identities.

The broader pattern is cross-ecosystem abuse. npm and NuGet serve different developer communities, but both rely on naming trust, publisher reputation, and automation. Attackers exploit those assumptions because package installation often happens before deep inspection. That makes registry controls, private mirrors, allowlists, and software composition analysis more important for teams handling financial or cloud credentials.

exploited CVE — in depth

CISA's KEV catalog is a prioritization tool. Many vulnerabilities receive CVE identifiers, but KEV entries have an additional signal: known exploitation. For federal civilian agencies, BOD 22-01 turns that signal into a remediation obligation. For private-sector teams, KEV status is still useful because it separates theoretical exposure from observed attacker interest.

The Palo Alto Networks entry, CVE-2026-0257, should move ahead of ordinary patch queues where the affected product is present. The evidence supplied here does not name affected versions or a mitigation. Teams should use the vendor advisory and their asset inventory to identify exposure, then patch or apply compensating controls according to the official remediation path.

The Marimo report adds a different angle. CVE-2026-39987 involved an internet-reachable notebook, and the attacker reportedly used a large language model agent after initial compromise. That is important because AI assistance may compress post-exploitation work such as reconnaissance, file review, and command planning. The report does not provide attack code, and defenders do not need it to act.

For notebook and data-science environments, the lesson is direct. Internet exposure should be minimized, authentication should be enforced, secrets should not live in notebook environments, and cloud credentials should use least privilege. If a Marimo instance was reachable during the relevant period, teams should inspect logs, rotate exposed credentials, and review outbound activity.

The two CVE items differ in source strength and actionability. CISA provides an official exploitation signal for CVE-2026-0257. The Marimo report provides incident-style detail around CVE-2026-39987 and post-compromise behavior. Both point to the same response principle: prioritize internet-facing systems where exploitation can lead quickly to cloud credentials.

Morning Breaking Updates

• feeds.feedburner.com: ChatGPhish Vulnerability Turns ChatGPT Web Summaries Into a Phishing Surface - Cybersecurity researchers have disclosed details of a vulnerability in OpenAI ChatGPT that leverages the artificial intelligence (AI) assistant's implicit trust in Markdown links a
• microsoft.com: Microsoft is named a Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection - As threats become more coordinated and faster to execute, endpoint protection has become the proving ground for modern defense. For the seventh consecutive time, Microsoft has been

At a glance

Fact	Publisher	Source
A threat actor published 14 malicious npm packages within four hours on May 28.	microsoft.com	microsoft.com
The npm packages targeted AWS credentials, Vault tokens, and CI/CD secrets.	microsoft.com	microsoft.com
Shadow AI now includes employees publishing AI-built applications to the internet.	feeds.feedburner.com	thehackernews.com
GREYVIBE has targeted Ukraine-linked entities since at least August 2025.	feeds.feedburner.com	thehackernews.com
Sicoob.Sdk versions 2.0.0 through 2.0.4 contained credential-stealing functions.	feeds.feedburner.com	thehackernews.com
CISA added CVE-2026-0257 to its KEV catalog based on active exploitation evidence.	cisa.gov	cisa.gov
A Marimo notebook compromise followed exploitation of CVE-2026-39987.	feeds.feedburner.com	thehackernews.com

FAQ

Q1. What made the npm campaign risky for developers?

A. microsoft.com reported 14 malicious npm packages that imitated familiar infrastructure libraries and targeted AWS credentials, Vault tokens, and CI/CD secrets. The risk was not only local compromise; stolen build or cloud secrets can expose production systems.

Q2. Why is shadow AI different from ordinary unsanctioned chatbot use?

A. feeds.feedburner.com described a move from prompts to deployed applications. That matters because an unmanaged app can persist on the internet, handle business data, and create an attack surface long after the original AI-assisted build session ends.

Q3. What should teams do about Sicoob.Sdk versions 2.0.0 through 2.0.4?

A. feeds.feedburner.com reported that Socket found credential-stealing functions in those versions. Teams that used them should remove the package, review build and endpoint exposure, rotate client IDs and PFX certificates, and monitor related authentication activity.

Q4. How should CISA's KEV listing change patch priority?

A. cisa.gov added CVE-2026-0257 to KEV based on active exploitation evidence. That status should move affected Palo Alto Networks assets ahead of routine patch queues, especially where the product is internet-facing or protects sensitive network paths.

Q5. What follow-up evidence matters most after these reports?

A. The key watch points are vendor advisories for CVE-2026-0257, affected-version details for CVE-2026-39987, registry takedowns, new package names linked to the Microsoft campaign, and any WithSecure updates on GREYVIBE targeting or tooling.

Sources

1. Attackers Use LLM Agent for Post-Exploitation After Marimo CVE-2026-39987 Exploit - feeds.feedburner.com
2. CISA Adds One Known Exploited Vulnerability to Catalog - cisa.gov
3. New Russian-Linked GREYVIBE Targets Ukraine with AI-Powered Cyberattacks - feeds.feedburner.com
4. What 2,000 Exposed Vibe-Coded Apps Reveal About the Limits of Most Security Stacks - feeds.feedburner.com
5. Malicious Sicoob NuGet Steals Banking Credentials as npm Packages Target Cloud Secrets - feeds.feedburner.com
6. Kimsuky Deploys HTTPSpy, Expands Arsenal with HelloDoor and VS Code Tunnels - feeds.feedburner.com
7. Typosquatted npm packages used to steal cloud and CI/CD secrets - microsoft.com
8. ChatGPhish Vulnerability Turns ChatGPT Web Summaries Into a Phishing Surface - feeds.feedburner.com
9. Microsoft is named a Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection - microsoft.com

Last updated: 2026-05-30T03:22:38.528Z