Part of a coordinated multi-package supply-chain attack impersonating EMCD (emcd.io), a legitimate Russian cryptocurrency exchange and mining pool. The attacker registered the @emcd-vue npm scope to distribute multiple malicious packages posing as internal tooling. This package was published 90 seconds after sibling package @emcd-vue/auth on 2026-06-01 by the same anonymous account (emcd-vue@proton.me).
Confirmed to use identical infrastructure and dropper logic as @emcd-vue/auth: downloads a platform-specific second-stage payload from https://oob.moika.tech/payload/{platform} using X-Secret: l95HdDaz3kQx1Zsg3WxH6HvKANf51RY1, writes it to ~/.emcd-vue_init.js (dot-prefixed hidden file), and executes it as a detached, unref'd process that persists after npm exits. Beacons installation metadata to https://oob.moika.tech/report on completion.
-= Per source details. Do not edit below this line.=-
On npm install, the declared postinstall script scripts/postinstall.js executes a heavily obfuscated (obfuscator.io-style) bundle that collects host identifiers (hostname, username, homedir), the full process.env (with Windows-specific keys such as USERDOMAIN, COMPUTERNAME, APPDATA, LOCALAPPDATA, TEMP, PROGRAMDATA), the tail of shell history, and the contents of a hardcoded list of files under the user's home directory that the package itself never created. The collected object is transmitted to a remote endpoint over HTTP(S) and additionally over a covert DNS channel: the payload is base32-encoded into subdomain labels and issued as dns.Resolver().resolveTxt(...) queries in chunks, bypassing HTTP egress filters. Endpoint hostnames, header names, and API strings are reconstructed at runtime via a shuffled string array with RC4/XOR decoders. Before exfiltrating, the script checks process.argv and NODE_OPTIONS for debugger indicators and performs a timing check to detect sandboxes, skipping the exfil if analysis instrumentation is detected. The package also exhibits dependency-confusion shape: metadata references an internal-looking scope and registry (@emcd-vue, npm.emcd-vue.io, github.emcd-vue.io) while being published to the public npm registry, and dist/index.js re-exports a ../src/index.js that is absent from the tarball, so the package has no functional library surface — the postinstall is its only executable code.
{
"malicious-packages-origins": [
{
"versions": [
"7.1.8"
],
"id": "IN-MAL-2026-005832",
"import_time": "2026-06-12T19:43:38.061479074Z",
"modified_time": "2026-06-12T19:02:54Z",
"sha256": "5533f10b35ebd7228376d5d97b22009e7d836f198069a2ed894f0cc709fb2d44",
"source": "amazon-inspector"
},
{
"versions": [
"7.1.8"
],
"id": "IN-MAL-2026-005831",
"import_time": "2026-06-12T19:43:37.973434802Z",
"modified_time": "2026-06-12T19:02:53Z",
"sha256": "febfe36bf4efb63283bdcac20e625459b8f63358c2e32921a747f29bb2d65917",
"source": "amazon-inspector"
},
{
"sha256": "2ddab0dbe6a6a3771f688fd4986cb466c88abaf10035e3a774f9ebecf0cf8268",
"id": "IN-MAL-2026-008486",
"import_time": "2026-07-08T20:32:35.003194327Z",
"modified_time": "2026-07-08T20:17:51Z",
"versions": [
"7.1.7"
],
"source": "amazon-inspector"
},
{
"versions": [
"7.1.9"
],
"id": "IN-MAL-2026-008489",
"import_time": "2026-07-08T20:32:35.324357171Z",
"sha256": "40ef599bb2c80cdbd97c90ce707427cce812aaba1f050297dc0633634458a4f2",
"modified_time": "2026-07-08T20:18:19Z",
"source": "amazon-inspector"
},
{
"sha256": "7b5f346a554fe9f5f7cfc733c36d4c92c373aea12e245ef70e1031f41ff76f05",
"id": "IN-MAL-2026-009291",
"import_time": "2026-07-09T16:20:57.818890016Z",
"modified_time": "2026-07-09T15:56:12Z",
"versions": [
"7.2.0"
],
"source": "amazon-inspector"
}
]
}{
"package_integrity": [
{
"filename": "loans-7.1.8.tgz",
"hashes": {
"sha512_sri": "sha512-1peMtksqIA/s5NFn+Gftk28ml3JovorSULyPMnfqtc7XGaJZf10ly0BjtQDWLa3gv+n7+F5mr2KmZ5Qgc5YGsQ==",
"sha1": "5e87e577e1a66e00c162dbf51ca2fd25eb83a7bc"
}
}
],
"evidence_files": [
{
"sha256": "d6642a67d569aa9008b3f17ecf0ca4644d6f56038f73f70027df1b394d13c45e",
"tlsh": "19526644eb8061427b079b7b372bb0d4f4194d9176d6098be2087b7cfc46629e5fae34",
"path": "scripts/postinstall.js"
}
],
"domains": [
"oob.moika.tech.ec2.internal",
"oob.moika.tech"
]
}
[
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@emcd-vue/loans/MAL-2026-5165.json"