A supply chain attack targeting the npm ecosystem was identified involving 14 malicious packages published under the alias vpmdhaj. These packages typosquat well-known OpenSearch, ElasticSearch, and DevOps libraries, executing malicious payloads through npm lifecycle hooks during installation. The attack deploys a two-stage credential harvesting operation that targets AWS credentials, HashiCorp Vault tokens, GitHub Actions secrets, and npm publish tokens. The malware queries AWS Instance Metadata Service, ECS task metadata, and enumerates AWS Secrets Manager across multiple regions. Two stager variants were observed: an HTTP-based C2 beacon and a stealthier version abusing the legitimate Bun runtime. The stolen credentials enable cloud lateral movement and downstream supply chain attacks through compromised npm maintainer identities, specifically targeting developers working with cloud and CI/CD infrastructure.