Three coordinated npm supply chain campaigns active May 20-29, 2026 deployed 47 malicious packages via dependency confusion, typosquatting, and a compromised publisher account (@antv scoped packages). All campaigns execute postinstall scripts at npm install time that silently harvest AWS credentials, HashiCorp Vault tokens, GitHub Actions OIDC tokens, and npm publish tokens from developer workstations and CI/CD runners. Any Node.js build pipeline that executed npm install during this window requires immediate credential audit and rotation.