164 npm Packages Target Cloud and Finance via oob.moika.tech

TL;DR

On May 27, 2026, two npm accounts published 164 malicious packages across five scoped namespaces targeting what appear to be a cloud platform provider and a financial services company. Every package is version 99.99.99 and carries a postinstall payload that downloads a second-stage script, spawns it as a detached process, and sends the victim’s full environment variables to hxxps://oob[.]moika[.]tech/report.

Impact:

• Full process.env exfiltration on install: API keys, tokens, secrets, and any credentials present in the developer or CI environment
• Second-stage payload executes as a detached process and persists after npm install exits
• Targets cloud platform and financial services namespaces — any developer or CI pipeline resolving packages from the public registry is at risk if scopes are not locked to a private registry

Indicators of Compromise:

• npm accounts: mr.4nd3r50n, pik-libs
• C2 report endpoint: hxxps://oob[.]moika[.]tech/report
• Second-stage payload: hxxps://oob[.]moika[.]tech/payload/{mac|win|linux}.js
• Shared secret: l95HdDaz3kQx1Zsg3WxH6HvKANf51RY1 (sent as X-Secret HTTP header)
• Temp file created: ._cloudplatform-single-spa_init.js in OS temp directory
• Version 99.99.99 in any of the five targeted scopes

The Campaign

SafeDep detected both publish events on May 27, 2026. Account mr.4nd3r50n began at 21:15 UTC, publishing 139 packages across two scopes. Account pik-libs followed 22 minutes later at 21:37 UTC, publishing 25 packages across three scopes. The 22-minute gap, identical payload code, and shared hardcoded secret all point to one actor operating both accounts.

Targeted Scopes

The package names are not generic squats. They mirror specific internal service names: @cloudplatform-single-spa/certificate-manager, @cloudplatform-single-spa/vpn, @cloudplatform-single-spa/ml-inference, @mlspace/experiments-monitoring, @car-loans/mobile-car-loans-application, @fb-deposit/form-deposit-auth. The specificity (billing, VPN, Kubernetes, ML inference, IAM, loan flows, deposit forms, debit card applications) indicates the actor profiled each organization’s internal package ecosystem before publishing.

All packages carry the same fabricated description: "Internal configuration loader with env, vault and remote config support".

The Bug Bounty Marker

Two packages from mr.4nd3r50n — @cloudplatform-single-spa/logaas and @mlspace/model-registry — carry no active payload. Their description reads "BugBounty testing by mr4nd3r50n". This pattern, placing inert probe packages alongside active stealers, appears in other campaigns where the actor tests whether internal names resolve to the public registry before deploying the payload. Whatever the intent, the remaining 162 packages executed real credential-stealing code on install.

Payload Analysis

Package Impersonation

The README for each package is crafted to pass casual inspection. Both samples follow an identical template — the package name, scope, and domain are swapped but the structure is verbatim:

1
Internal package — Platform Engineering Team
2
Docs: https://docs.car-loans.io/platform/application-aff
3
Issues: https://jira.car-loans.io/projects/PLATFORM
4

5
Internal configuration loader with env, vault and remote config support
6

7
Installation
8
# Make sure .npmrc points to the internal registry:
9
# registry=https://npm.car-loans.io

The fabricated docs and Jira URLs (docs.car-loans.io, jira.car-loans.io) mirror what real internal tooling at these organizations looks like. The .npmrc comment does the most work: it tells developers to point to a private registry (the correct security practice), making the package read as a legitimate internal artifact already published to the right place.

The README also includes a fake version history showing 2.0.0 and 2.1.0 entries with plausible changelogs. The malicious 99.99.99 is listed simply as “Added ARM64 support / Improved error handling / Updated TypeScript types.”

The Telemetry Cover Story

The most deliberate social engineering in these packages is the “telemetry” framing:

1
Telemetry
2
On install, this package sends anonymous telemetry to telemetry.car-loans.io
3
for environment compatibility monitoring.
4

5
Disable: CAR_LOANS_NO_TELEMETRY=1 npm install

The cloud platform scope uses telemetry.cloudplatform-single-spa.io and CLOUDPLATFORM_SINGLE_SPA_NO_TELEMETRY=1. A developer who notices the outbound POST during install reads it as authorized internal telemetry. A security reviewer scanning for red flags finds a disclosure and an opt-out, both hallmarks of legitimate telemetry practice. The actual exfiltration goes to hxxps://oob[.]moika[.]tech/report, not the telemetry domain in the README, but the framing preempts suspicion before anyone looks that closely.

Execution Trigger

All active packages declare the payload through npm’s postinstall lifecycle hook in package.json:

The hook runs scripts/postinstall.js immediately after npm install completes, before control returns to the developer or CI runner.

Postinstall Flow

The payload executes in six steps:

1. Delay — pauses for 3 seconds to evade automated sandboxes that time out short-lived processes
2. OS detection — identifies the platform as mac, win, or linux
3. Second-stage download — fetches hxxps://oob[.]moika[.]tech/payload/{mac|win|linux}.js and writes it to the OS temp directory as ._cloudplatform-single-spa_init.js
4. Detached spawn — launches the downloaded script as a separate Node.js process with detached: true, so it continues running after npm install exits
5. Exfiltration — POSTs to hxxps://oob[.]moika[.]tech/report with the full contents of process.env plus hostname, username, platform, architecture, current working directory, and Node.js version
6. Fallback beacon — if the second-stage download fails, sends the same system data directly without the second stage

Infrastructure Constants

Three values are hardcoded across all 162 active packages:

1
CALLBACK_URL = https://oob.moika.tech/report
2
PAYLOAD_BASE = https://oob.moika.tech/payload
3
SECRET       = l95HdDaz3kQx1Zsg3WxH6HvKANf51RY1

The SECRET value is sent as an X-Secret header on every outbound request. Its presence across both mr.4nd3r50n and pik-libs packages, spanning two organizations and two publishing sessions, is the clearest indicator that both campaigns share a single author.

What Gets Exfiltrated

process.env on a developer workstation or CI runner typically holds NPM_TOKEN, AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, GITHUB_TOKEN, database URLs, and any other credentials injected as environment variables. The payload sends the raw environment object with no key filtering. On a CI pipeline, this is effectively the full set of deployment secrets.

The 3-second delay and detached spawn mean credential theft and second-stage execution finish whether or not the developer notices the pause.

Scale and Comparison

164 packages across five namespaces in under 25 minutes. The sl4x0 campaign took nine months to publish 92 packages against 20-plus organizations. The Genoma UI campaign used three packages in April 2026.

Two things separate this campaign from most dependency confusion probes.

Most probes send DNS beacons with hostname and username — enough to confirm a hit, not enough to do damage. This payload sends raw process.env. An npm install on a CI runner with active cloud credentials is a full credential compromise.

Fetching a second stage at runtime keeps the initial package small and defers the actual capability. A registry scanner or developer reviewing the tarball sees the first stage only, and misses the real behavior. The Burp Collaborator dependency confusion technique Snyk researchers used in 2025 was single-stage; this campaign separates probe from execution.

Mitigations

1. Lock all five targeted scopes (@cloudplatform-single-spa, @mlspace, @car-loans, @fb-deposit, @debit-ib) to a private registry in .npmrc. Without a scope-locked registry, npm will resolve to the public version when the private one is unavailable.
2. Rotate any secrets that were present in process.env on systems that installed 99.99.99 versions from these scopes.
3. Search process lists and the OS temp directory for ._cloudplatform-single-spa_init.js. Check network logs for outbound connections to oob.moika.tech.
4. Run vet against your lockfiles to surface malicious packages before the next install cycle.

Affected Packages

All 164 packages are searchable below. The has_postinstall_payload column identifies the two inert probe packages (no) versus the 162 active stealers (yes).