Microsoft Security researchers discovered a dependency confusion campaign that deployed 33 malicious npm packages to collect reconnaissance data from developer and build environments, exploiting a well-known supply-chain vulnerability in package management systems.