The vpmdhaj campaign deployed 14 malicious typosquatted npm packages that silently harvest AWS credentials, HashiCorp Vault tokens, GitHub Actions secrets, and npm publish tokens during installation with no user interaction required. Any CI/CD pipeline or developer workstation that ran npm install against flagged packages between May 28, 2026 and takedown must be treated as fully compromised across all exposed credential classes. The theft of npm publish tokens creates a secondary supply chain blast radius: packages published from compromised accounts are potential malware distribution vectors to every downstream consumer.