What starting position does this attack require?

The first step is Connect via stolen VPN profile (T1078) — a initial access primitive. Assumed environment: target organisation uses Node.

What is the final impact of this kill-chain?

The final step lands on Internal pivot (N-NMAP-INTERNAL), which falls under Discovery. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

← RegistryDossier · 6 steps · 5 edges

Approved

npm typosquat → developer workstation → corporate VPN

Publish a typosquat npm package; the developer's `npm install` runs the postinstall script, exfils SSH keys + VPN profile, then connects to the corporate network.

Filed by AD Knowledge BasePublished 2026-05-26

§ Kill-chainDrag · zoom · scroll

Initial Access

Connect via stolen VPN profile

T1078 · Valid Accounts

Initial Access

Wait for developer install

T1078 · Valid Accounts

Credential Access

Exfil ~/.ssh, ~/.aws, VPN profile

T1552 · Unsecured Credentials

Initial Access

Pick a likely typosquat name

SUP-NPM-TYPOSQUAT · npm / PyPI / RubyGems Typosquat

Execution

Publish package with postinstall payload

SUP-INSTALL-SCRIPT · Malicious Install Script

Discovery

Internal pivot

N-NMAP-INTERNAL · Internal Nmap Sweep

§ Context

Assumed environment: target organisation uses Node.js heavily. Developers run `npm install` without strict-allowlist policies and have VPN profiles + SSH keys on their laptops.

§ Steps

01
Connect via stolen VPN profileInitial Access
T1078— Valid Accounts
02
Wait for developer installInitial Access
T1078— Valid Accounts
03
Exfil ~/.ssh, ~/.aws, VPN profileCredential Access
T1552— Unsecured Credentials
04
Pick a likely typosquat nameInitial Access
SUP-NPM-TYPOSQUAT— npm / PyPI / RubyGems Typosquat
05
Publish package with postinstall payloadExecution
SUP-INSTALL-SCRIPT— Malicious Install Script
06
Internal pivotDiscovery
N-NMAP-INTERNAL— Internal Nmap Sweep

§ References

T1078Valid Accounts
T1552Unsecured Credentials

§ Frequently asked

What is the "npm typosquat → developer workstation → corporate VPN" attack path?: Publish a typosquat npm package; the developer's `npm install` runs the postinstall script, exfils SSH keys + VPN profile, then connects to the corporate network. It chains 6 steps drawn from real-world offensive-security techniques.
What starting position does this attack require?: The first step is Connect via stolen VPN profile (T1078) — a initial access primitive. Assumed environment: target organisation uses Node.
What is the final impact of this kill-chain?: The final step lands on Internal pivot (N-NMAP-INTERNAL), which falls under Discovery. From here, an operator typically pivots into post-exploitation or maintains persistence.
How can defenders detect or prevent this attack?: Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

npm typosquat → developer workstation → corporate VPN

§ Context

§ Steps

§ References

§ Frequently asked

§ Related dossiers

Exposed etcd → cluster-wide secret raid

Industroyer2 IEC-104 substation hijack

Dev workstation → cloud backup keys → encrypted vault store (LastPass 2022)

F5 BIG-IP iControl auth bypass (CVE-2022-1388) → root on LB

z/OS TN3270 → RACF userID brute → mainframe shell

Leaked GitHub PAT → org takeover → supply-chain push