Malicious npm packages abuse dependency confusion to profile developer environments

A single threat actor registered 33 malicious npm packages under spoofed organizational scopes (including Sberbank) to exploit dependency confusion. The packages execute obfuscated postinstall hooks during npm install to exfiltrate system info, hostnames, environment variables, and credentials. A server-side flag enables follow-on exploitation.

CRITICALAdvisoryMay 31, 2026

Action required

Audit npm dependency trees for packages under organizational scopes published May 28-29, 2026. Cross-reference against your actual internal package registries. Block and revoke any suspicious package installs and scan affected developer machines for credential theft and lateral movement.

Affected products

MicrosoftSberbank

Linked articles

Malicious npm packages abuse dependency confusion to profile developer environments

Source links

https://www.microsoft.com/en-us/security/blog/2026/05/29/33-malicious-npm-packages-abuse-dependency-confusion-profile-developer-environments/