oob-moika-tech-depconf-2026

discovered 2026-05-28

Multi-wave npm dependency-confusion campaign run by a single operator rotating disposable npm accounts and email identities. Wave 1 (2026-05-27): accounts mr.4nd3r50n and pik-libs published 164 packages at 99.99.99 across five internal scopes. Wave 2 (2026-05-29): t-in-one ([email protected]), 12 packages, Sberbank SberPay impersonation. Wave 3 (2026-06-01): emcd-vue ([email protected]), @emcd-vue scope impersonating EMCD Russian crypto exchange, WaCk/JScrambler obfuscation + FUSION_ second-stage protocol + home-dir persistence. Wave 4 (2026-07-01): a fifth npm account, marketfront ([email protected], scope @marketfront created 2026-07-01T22:59:33Z), batch-published 25 e-commerce/marketing frontend cover packages, all at version 7.0.0, in a ~3-minute window (all now 404). Wave 4 is a payload EVOLUTION: it drops the full-process.env exfiltration to oob.moika.tech/report used in Waves 1-3 in favor of TARGETED credential-FILE harvesting (~20 secret files including ~/.ssh, ~/.aws/credentials, ~/.kube/config, ~/.docker/config.json, ~/.npmrc, ~/.netrc, ~/.pgpass, ~/.git-credentials, ~/.env, ~/.bash_history), exfiltrated as a gzip-compressed HTTPS POST with a custom X-Secret header to the path /api/v1/events, plus a DNS resolver beacon. The C2 host is concealed behind an RC4+XOR layer around an embedded config blob and was NOT statically resolved (recorded as unresolved). Obfuscation shifted to obfuscator.io-style single-line ~160 KB with a custom lowercase-first base64 alphabet plus a per-string RC4 layer (static base64 decode of the string table only recovers primitives like charCodeAt/fromCharCode). SafeDep attributes Wave 4's TTP to the confirmed-malicious @emcd-vue (Wave 3) actor; the @emcd-vue predecessor scope remained live and was republished as of 2026-07-02 (@emcd-vue/[email protected], @emcd-vue/[email protected], @emcd-vue/[email protected]). Wave 4 also has a same-day sibling scope @tqm-mfe (single package @tqm-mfe/main at 5.4.7 and 5.5.0, published 2026-07-01) by npm user t.tqm.mfe under a NEW Proton Mail identity [email protected] (distinct from [email protected]), impersonating Tinkoff / T-Bank internal Angular ESLint tooling and carrying the same scope-parameterized Platform Engineering fingerprint, RC4/XOR obfuscation class (~182 KB), and non-functional decoy dist/index.js; its credential-file harvester behavior is inferred from the family match, not independently decoded, and its C2 host was not statically resolved.

Objective

Compromise developer and CI environments via npm dependency confusion against internal package scopes, harvesting on-disk credentials and secrets (SSH keys, cloud/registry/git credentials, environment files) for downstream access, while rotating disposable publisher accounts and concealing C2 infrastructure.

Packages

Indicators

Techniques

Read the full analysis →