MAL-2026-5164

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@emcd-vue/b2b-pay-form/MAL-2026-5164.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5164

Published

2026-06-01T07:00:00Z

Modified

2026-06-02T12:31:38.252971018Z

Summary

Malicious code in @emcd-vue/b2b-pay-form (npm)

Details

Part of a coordinated multi-package supply-chain attack impersonating EMCD (emcd.io), a legitimate Russian cryptocurrency exchange and mining pool. The attacker registered the @emcd-vue npm scope to distribute multiple malicious packages posing as internal tooling under the "EMCD Platform Engineering" identity. This package was published on the same day as confirmed campaign packages @emcd-vue/auth and @emcd-vue/loans, which share C2 infrastructure at oob.moika.tech.

The package description ("Internal HTTP client with retry, auth injection and request tracing") is fabricated; the @emcd-vue scope has no affiliation with the real EMCD exchange (emcd.io). Campaign packages in this scope use a multi-stage postinstall dropper that downloads and executes a platform-specific payload from https://oob.moika.tech/payload/{platform} using a shared secret key, writes the payload to a hidden dot-file in the user's home directory, and beacons installation metadata to https://oob.moika.tech/report.

Database specific

{
    "malicious-packages-origins": null
}

References

https://safedep.io/oob-moika-tech-dependency-confusion-campaign/

Credits

- SafeDep - FINDER
- - https://safedep.io

Affected packages

npm / @emcd-vue/b2b-pay-form

Package

Name: @emcd-vue/b2b-pay-form; View open source insights on deps.dev
Purl: pkg:npm/%40emcd-vue%2Fb2b-pay-form

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@emcd-vue/b2b-pay-form/MAL-2026-5164.json"