MAL-2026-5163

Part of a coordinated multi-package supply-chain attack impersonating EMCD (emcd.io), a legitimate Russian cryptocurrency exchange and mining pool. The attacker registered the @emcd-vue npm scope to pose as an internal Vue.js front-end tooling package from "EMCD Platform Engineering." The package contains no functional library code — the entire package is a delivery vehicle for a multi-stage dropper embedded in a 137.5 KB single-line obfuscated postinstall hook (JScrambler/WaCk-style; 811-element encoded string array).

Trigger: scripts.postinstall → scripts/postinstall.js

Execution flow: - Checks EMCD_VUE_NO_TELEMETRY env var as a kill-switch (README misleadingly documents a different, non-functional kill-switch name) - Computes a per-host/project dedup key to execute only once - Detects platform (linux-x64, darwin-arm64, win) - Downloads platform-specific second-stage: GET https://oob.moika.tech/payload/{platform} with X-Secret: l95HdDaz3kQx1Zsg3WxH6HvKANf51RY1 - Writes payload to ~/.emcd-vue_init.js (dot-prefixed hidden file) - Spawns payload as a detached, unref'd process — persists after npm exits - Beacons installation metadata to https://oob.moika.tech/report