Microsoft Threat Intelligence identified an active supply chain attack involving malicious npm packages that employ dependency confusion techniques. Between May 28-29, 2026, a threat actor using three maintainer aliases published malicious packages across nine organizational scopes that mirror real corporate namespaces. The packages execute obfuscated reconnaissance payloads through npm lifecycle hooks, collecting system information, environment variables, and developer credentials. All packages connect to the same command-and-control server and deploy a 17KB JavaScript dropper designed for environment fingerprinting. The campaign includes platform-specific payloads for Windows, macOS, and Linux, with CI/CD detection bypass capabilities. The architecture operates in reconnaissance-only mode but supports server-side toggling for full exploitation. Forensic analysis indicates all three accounts are operated by a single individual, evidenced by shared C2 infrastructure, identical hardcoded authentication toke...