MAL-2026-5165

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@emcd-vue/loans/MAL-2026-5165.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5165

Published

2026-06-01T07:05:43Z

Modified

2026-06-02T12:31:38.267959904Z

Summary

Malicious code in @emcd-vue/loans (npm)

Details

Part of a coordinated multi-package supply-chain attack impersonating EMCD (emcd.io), a legitimate Russian cryptocurrency exchange and mining pool. The attacker registered the @emcd-vue npm scope to distribute multiple malicious packages posing as internal tooling. This package was published 90 seconds after sibling package @emcd-vue/auth on 2026-06-01 by the same anonymous account (emcd-vue@proton.me).

Confirmed to use identical infrastructure and dropper logic as @emcd-vue/auth: downloads a platform-specific second-stage payload from https://oob.moika.tech/payload/{platform} using X-Secret: l95HdDaz3kQx1Zsg3WxH6HvKANf51RY1, writes it to ~/.emcd-vue_init.js (dot-prefixed hidden file), and executes it as a detached, unref'd process that persists after npm exits. Beacons installation metadata to https://oob.moika.tech/report on completion.

Database specific

{
    "malicious-packages-origins": null
}

References

https://safedep.io/oob-moika-tech-dependency-confusion-campaign/

Credits

- SafeDep - FINDER
- - https://safedep.io

Affected packages

npm / @emcd-vue/loans

Package

Name: @emcd-vue/loans; View open source insights on deps.dev
Purl: pkg:npm/%40emcd-vue%2Floans

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@emcd-vue/loans/MAL-2026-5165.json"