MAL-2026-5164

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@emcd-vue/b2b-pay-form/MAL-2026-5164.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5164
Published
2026-06-01T07:00:00Z
Modified
2026-07-09T16:31:55.722465158Z
Summary
Malicious code in @emcd-vue/b2b-pay-form (npm)
Details

Part of a coordinated multi-package supply-chain attack impersonating EMCD (emcd.io), a legitimate Russian cryptocurrency exchange and mining pool. The attacker registered the @emcd-vue npm scope to distribute multiple malicious packages posing as internal tooling under the "EMCD Platform Engineering" identity. This package was published on the same day as confirmed campaign packages @emcd-vue/auth and @emcd-vue/loans, which share C2 infrastructure at oob.moika.tech.

The package description ("Internal HTTP client with retry, auth injection and request tracing") is fabricated; the @emcd-vue scope has no affiliation with the real EMCD exchange (emcd.io). Campaign packages in this scope use a multi-stage postinstall dropper that downloads and executes a platform-specific payload from https://oob.moika.tech/payload/{platform} using a shared secret key, writes the payload to a hidden dot-file in the user's home directory, and beacons installation metadata to https://oob.moika.tech/report.


-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (e45e677cee670117b0ff7dcdf2f04491cfb61385025a178e197ea35924e9410e)

@emcd-vue/b2b-pay-form ships an obfuscator.io-encoded scripts/postinstall.js wired as the npm postinstall lifecycle hook. On npm install, the script builds a platform-keyed URL from os.platform(), performs an HTTPS GET of a remote payload, writes it to os.tmpdir(), and spawns it via spawn(process.execPath, [tmpFile], {detached:true}).unref() — a classic install-time dropper that grants the publisher arbitrary remote code execution on every installing host. An environment-variable kill switch and a TTL-gated JSON cache in the user home directory throttle re-execution to evade detection. The package's stated purpose is an 'Internal HTTP client'; fetching and executing remote Node code is unrelated to that purpose. The package metadata is also fabricated dependency-confusion bait: scope @emcd-vue and all referenced domains (emcd-vue.io, github.emcd-vue.io, jira.emcd-vue.io, docs.emcd-vue.io, npm.emcd-vue.io, telemetry.emcd-vue.io) are not owned by any public organization, and the README instructs consumers to point npm at https://npm.emcd-vue.io while branding the package as 'Internal package — Platform Engineering Team' — the canonical pattern for targeting orgs whose private internal scope matches @emcd-vue or whose CI lazily resolves unknown scopes from the public registry. The postinstall file itself is heavily obfuscated (string-array + RC4-style decoder, control-flow flattening, self-defending function, 109-entry encoded string table), which has no legitimate purpose for a lifecycle script and is consistent with evasion of review.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "5.7.4"
            ],
            "id": "IN-MAL-2026-006150",
            "import_time": "2026-06-12T19:44:13.684281435Z",
            "modified_time": "2026-06-12T19:10:00Z",
            "sha256": "a7ba596c8dca7145a8e505cdb4cf2c96dd1a4e741ea55192e076da181ecc6d38",
            "source": "amazon-inspector"
        },
        {
            "versions": [
                "5.7.4"
            ],
            "id": "IN-MAL-2026-006149",
            "import_time": "2026-06-12T19:44:13.524497209Z",
            "sha256": "e45e677cee670117b0ff7dcdf2f04491cfb61385025a178e197ea35924e9410e",
            "modified_time": "2026-06-12T19:10:00Z",
            "source": "amazon-inspector"
        },
        {
            "versions": [
                "5.7.5"
            ],
            "id": "IN-MAL-2026-008470",
            "modified_time": "2026-07-08T20:15:18Z",
            "sha256": "e79de3341867d04d08fa606ab88a0a0d306adaf2b1e1aac3d5301c8ef2590d23",
            "import_time": "2026-07-08T20:32:33.000783546Z",
            "source": "amazon-inspector"
        },
        {
            "sha256": "fb2341faa5bb4d4b363651831ecb13f4bb45eaa27a3a5ef6f7ca48a7f4bf0de2",
            "id": "IN-MAL-2026-008381",
            "import_time": "2026-07-08T20:32:21.344258396Z",
            "modified_time": "2026-07-08T20:01:53Z",
            "versions": [
                "5.7.3"
            ],
            "source": "amazon-inspector"
        },
        {
            "sha256": "2fc49e259169a9cbb0a1412a88cf70f42f05d15dbda4bf60027d5425e3efc679",
            "id": "IN-MAL-2026-009249",
            "import_time": "2026-07-09T16:20:54.27788027Z",
            "modified_time": "2026-07-09T15:49:58Z",
            "versions": [
                "5.8.0"
            ],
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / @emcd-vue/b2b-pay-form

Package

Name
@emcd-vue/b2b-pay-form
View open source insights on deps.dev
Purl
pkg:npm/%40emcd-vue/b2b-pay-form

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

5.*
5.7.3
5.7.4
5.7.5
5.8.0

Database specific

indicators
{
    "evidence_files": [
        {
            "sha256": "3a18539d35b742ada67fded5569314159308daea53075f171be9ecfb14cb4ab8",
            "tlsh": "075293456fc090916b17aebb6337a0d0d526496af665488fe3007ff8fc91326e2d6e34",
            "path": "scripts/postinstall.js"
        },
        {
            "sha256": "79edb765f0d3613b80e60f01cd28942211e823851a8d34bac8d777a1592479d5",
            "tlsh": "3b117831c5749d331ad42296aae45502b6b61c0b1c4abc2c37c3106d4b8e2ab14bc6be",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "filename": "b2b-pay-form-5.7.4.tgz",
            "hashes": {
                "sha512_sri": "sha512-g7OZSH0uESsscbr+OSxEBJpH2swuthrwbuxkVxziCU5k0d5RwXLRnPCvdFJZfadw0f6t9aqSoIDY34BV7guzcA==",
                "sha1": "13944ee6302a445884490112e70d1e522d6f2d21"
            }
        }
    ],
    "domains": [
        "oob.moika.tech",
        "oob.moika.tech.ec2.internal"
    ]
}
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@emcd-vue/b2b-pay-form/MAL-2026-5164.json"