MAL-2026-5165

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@emcd-vue/loans/MAL-2026-5165.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5165
Published
2026-06-01T07:05:43Z
Modified
2026-07-09T16:31:55.735891401Z
Summary
Malicious code in @emcd-vue/loans (npm)
Details

Part of a coordinated multi-package supply-chain attack impersonating EMCD (emcd.io), a legitimate Russian cryptocurrency exchange and mining pool. The attacker registered the @emcd-vue npm scope to distribute multiple malicious packages posing as internal tooling. This package was published 90 seconds after sibling package @emcd-vue/auth on 2026-06-01 by the same anonymous account (emcd-vue@proton.me).

Confirmed to use identical infrastructure and dropper logic as @emcd-vue/auth: downloads a platform-specific second-stage payload from https://oob.moika.tech/payload/{platform} using X-Secret: l95HdDaz3kQx1Zsg3WxH6HvKANf51RY1, writes it to ~/.emcd-vue_init.js (dot-prefixed hidden file), and executes it as a detached, unref'd process that persists after npm exits. Beacons installation metadata to https://oob.moika.tech/report on completion.


-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (7b5f346a554fe9f5f7cfc733c36d4c92c373aea12e245ef70e1031f41ff76f05)

On npm install, the declared postinstall script scripts/postinstall.js executes a heavily obfuscated (obfuscator.io-style) bundle that collects host identifiers (hostname, username, homedir), the full process.env (with Windows-specific keys such as USERDOMAIN, COMPUTERNAME, APPDATA, LOCALAPPDATA, TEMP, PROGRAMDATA), the tail of shell history, and the contents of a hardcoded list of files under the user's home directory that the package itself never created. The collected object is transmitted to a remote endpoint over HTTP(S) and additionally over a covert DNS channel: the payload is base32-encoded into subdomain labels and issued as dns.Resolver().resolveTxt(...) queries in chunks, bypassing HTTP egress filters. Endpoint hostnames, header names, and API strings are reconstructed at runtime via a shuffled string array with RC4/XOR decoders. Before exfiltrating, the script checks process.argv and NODE_OPTIONS for debugger indicators and performs a timing check to detect sandboxes, skipping the exfil if analysis instrumentation is detected. The package also exhibits dependency-confusion shape: metadata references an internal-looking scope and registry (@emcd-vue, npm.emcd-vue.io, github.emcd-vue.io) while being published to the public npm registry, and dist/index.js re-exports a ../src/index.js that is absent from the tarball, so the package has no functional library surface — the postinstall is its only executable code.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "7.1.8"
            ],
            "id": "IN-MAL-2026-005832",
            "import_time": "2026-06-12T19:43:38.061479074Z",
            "modified_time": "2026-06-12T19:02:54Z",
            "sha256": "5533f10b35ebd7228376d5d97b22009e7d836f198069a2ed894f0cc709fb2d44",
            "source": "amazon-inspector"
        },
        {
            "versions": [
                "7.1.8"
            ],
            "id": "IN-MAL-2026-005831",
            "import_time": "2026-06-12T19:43:37.973434802Z",
            "modified_time": "2026-06-12T19:02:53Z",
            "sha256": "febfe36bf4efb63283bdcac20e625459b8f63358c2e32921a747f29bb2d65917",
            "source": "amazon-inspector"
        },
        {
            "sha256": "2ddab0dbe6a6a3771f688fd4986cb466c88abaf10035e3a774f9ebecf0cf8268",
            "id": "IN-MAL-2026-008486",
            "import_time": "2026-07-08T20:32:35.003194327Z",
            "modified_time": "2026-07-08T20:17:51Z",
            "versions": [
                "7.1.7"
            ],
            "source": "amazon-inspector"
        },
        {
            "versions": [
                "7.1.9"
            ],
            "id": "IN-MAL-2026-008489",
            "import_time": "2026-07-08T20:32:35.324357171Z",
            "sha256": "40ef599bb2c80cdbd97c90ce707427cce812aaba1f050297dc0633634458a4f2",
            "modified_time": "2026-07-08T20:18:19Z",
            "source": "amazon-inspector"
        },
        {
            "sha256": "7b5f346a554fe9f5f7cfc733c36d4c92c373aea12e245ef70e1031f41ff76f05",
            "id": "IN-MAL-2026-009291",
            "import_time": "2026-07-09T16:20:57.818890016Z",
            "modified_time": "2026-07-09T15:56:12Z",
            "versions": [
                "7.2.0"
            ],
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / @emcd-vue/loans

Package

Name
@emcd-vue/loans
View open source insights on deps.dev
Purl
pkg:npm/%40emcd-vue/loans

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

7.*
7.1.7
7.1.8
7.1.9
7.2.0

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "loans-7.1.8.tgz",
            "hashes": {
                "sha512_sri": "sha512-1peMtksqIA/s5NFn+Gftk28ml3JovorSULyPMnfqtc7XGaJZf10ly0BjtQDWLa3gv+n7+F5mr2KmZ5Qgc5YGsQ==",
                "sha1": "5e87e577e1a66e00c162dbf51ca2fd25eb83a7bc"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "d6642a67d569aa9008b3f17ecf0ca4644d6f56038f73f70027df1b394d13c45e",
            "tlsh": "19526644eb8061427b079b7b372bb0d4f4194d9176d6098be2087b7cfc46629e5fae34",
            "path": "scripts/postinstall.js"
        }
    ],
    "domains": [
        "oob.moika.tech.ec2.internal",
        "oob.moika.tech"
    ]
}
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@emcd-vue/loans/MAL-2026-5165.json"