Two coordinated malicious npm package campaigns published May 28-29, 2026 targeted enterprise CI/CD pipelines and developer workstations — one using 33 dependency-confusion packages to silently profile environments, and a second using 14 typosquatting packages to exfiltrate AWS credentials, HashiCorp Vault tokens, and CI/CD secrets at install time. Any organization with Node.js development workflows or cloud-connected build pipelines is at risk of credential theft and downstream cloud environment compromise. This carries the highest priority score of this week’s rollup.