A confirmed compromise of npm publish tokens means attackers may have the ability to distribute malicious code to any organization that installs packages published by affected maintainers, creating liability exposure that extends to customers and partners downstream. Compromised AWS credentials and Vault tokens can enable unauthorized access to production infrastructure, sensitive data stores, and internal systems, with potential for data exfiltration, ransomware deployment, or prolonged persistent access. Organizations in regulated industries handling personal data, payment card data, or protected health information face regulatory notification obligations if compromised build pipelines had access to production data environments.
You Are Affected If
Your development or CI/CD environment ran npm install on or after May 28, 2026 against any of the 14 packages identified in the vpmdhaj campaign
Your build runners, developer workstations, or containers have access to AWS IAM credentials, IMDS endpoints, HashiCorp Vault tokens, or GitHub Actions secrets
Your CI/CD pipeline uses npm publish tokens stored as environment variables or secrets accessible during the build process
Your build environment runs on AWS EC2 or ECS instances with IMDSv1 enabled or without IMDS access restrictions
Your organization does not enforce package integrity verification (hash pinning or lockfile validation) in CI/CD pipelines
Board Talking Points
Attackers published fake software packages that silently steal cloud access credentials and CI/CD secrets the moment a developer installs them, and any organization that installed these packages between May 28 and their removal must assume those credentials are in adversary hands.
All affected teams must revoke and rotate cloud credentials, pipeline secrets, and software publishing tokens immediately, and security operations should audit build pipelines for signs of compromise within 24 hours.
If no action is taken, stolen software publishing tokens could allow attackers to distribute malware through our own software releases to customers and partners, compounding reputational and legal exposure well beyond the initial incident.
SOC 2 — compromise of CI/CD secrets and cloud credentials may constitute a security incident requiring disclosure under trust service criteria for availability and confidentiality
GDPR / regional data protection laws — if compromised build pipelines had access to environments processing personal data, breach notification obligations may apply
PCI-DSS — if compromised AWS credentials or Vault tokens provided access to cardholder data environments, mandatory breach assessment and notification requirements apply under PCI-DSS Requirement 12.10
