Multi-wave npm dependency-confusion campaign run by a single operator rotating disposable npm accounts and email identities. Wave 1 (2026-05-27): accounts mr.4nd3r50n and pik-libs published 164 packages at 99.99.99 across five internal scopes. Wave 2 (2026-05-29): t-in-one ([email protected]), 12 packages, Sberbank SberPay impersonation. Wave 3 (2026-06-01): emcd-vue ([email protected]), @emcd-vue scope impersonating EMCD Russian crypto exchange, WaCk/JScrambler obfuscation + FUSION_ second-stage protocol + home-dir persistence. Wave 4 (2026-07-01): a fifth npm account, marketfront ([email protected], scope @marketfront created 2026-07-01T22:59:33Z), batch-published 25 e-commerce/marketing frontend cover packages, all at version 7.0.0, in a ~3-minute window (all now 404). Wave 4 is a payload EVOLUTION: it drops the full-process.env exfiltration to oob.moika.tech/report used in Waves 1-3 in favor of TARGETED credential-FILE harvesting (~20 secret files including ~/.ssh, ~/.aws/credentials, ~/.kube/config, ~/.docker/config.json, ~/.npmrc, ~/.netrc, ~/.pgpass, ~/.git-credentials, ~/.env, ~/.bash_history), exfiltrated as a gzip-compressed HTTPS POST with a custom X-Secret header to the path /api/v1/events, plus a DNS resolver beacon. The C2 host is concealed behind an RC4+XOR layer around an embedded config blob and was NOT statically resolved (recorded as unresolved). Obfuscation shifted to obfuscator.io-style single-line ~160 KB with a custom lowercase-first base64 alphabet plus a per-string RC4 layer (static base64 decode of the string table only recovers primitives like charCodeAt/fromCharCode). SafeDep attributes Wave 4's TTP to the confirmed-malicious @emcd-vue (Wave 3) actor; the @emcd-vue predecessor scope remained live and was republished as of 2026-07-02 (@emcd-vue/[email protected], @emcd-vue/[email protected], @emcd-vue/[email protected]). Wave 4 also has a same-day sibling scope @tqm-mfe (single package @tqm-mfe/main at 5.4.7 and 5.5.0, published 2026-07-01) by npm user t.tqm.mfe under a NEW Proton Mail identity [email protected] (distinct from [email protected]), impersonating Tinkoff / T-Bank internal Angular ESLint tooling and carrying the same scope-parameterized Platform Engineering fingerprint, RC4/XOR obfuscation class (~182 KB), and non-functional decoy dist/index.js; its credential-file harvester behavior is inferred from the family match, not independently decoded, and its C2 host was not statically resolved.
Objective
Compromise developer and CI environments via npm dependency confusion against internal package scopes, harvesting on-disk credentials and secrets (SSH keys, cloud/registry/git credentials, environment files) for downstream access, while rotating disposable publisher accounts and concealing C2 infrastructure.
Packages
- npm @cloudplatform-single-spa/billingattributed-to
- npm @mlspace/shared-storageattributed-to
- npm @car-loans/mobile-car-loans-applicationattributed-to
- npm @fb-deposit/form-depositattributed-to
- npm @debit-ib/mobile-debit-ib-additional-card-formattributed-to
- npm @t-in-one/add_applicationattributed-to
- npm @capibar.chat/ui-kitattributed-to
- npm @sber-ecom-core/sberpay-widgetattributed-to
- npm @emcd-vue/authattributed-to
- npm @emcd-vue/loansattributed-to
- npm @emcd-vue/b2b-pay-formattributed-to
- npm @marketfront/headerattributed-to
- npm @marketfront/actualordersnippetpopupattributed-to
- npm @marketfront/advertisingdevtoolattributed-to
- npm @marketfront/bannerpopupattributed-to
- npm @marketfront/baobabtechattributed-to
- npm @marketfront/basemarkettemplateattributed-to
- npm @marketfront/blenderdevtoolattributed-to
- npm @marketfront/captchaserviceattributed-to
- npm @marketfront/changefilterattributed-to
- npm @marketfront/commonecommerceattributed-to
- npm @marketfront/customdealsfeedattributed-to
- npm @marketfront/designsystemdevtoolattributed-to
- npm @marketfront/devtoolsloaderattributed-to
- npm @marketfront/digitalherobannercarouselattributed-to
- npm @marketfront/dynamicpageparamsattributed-to
- npm @marketfront/errorcounterattributed-to
- npm @marketfront/fashiononboardingpopupattributed-to
- npm @marketfront/fingerprintattributed-to
- npm @marketfront/footerattributed-to
- npm @marketfront/gotoauthpopupattributed-to
- npm @marketfront/infopopupattributed-to
- npm @marketfront/livestreampreviewpopupattributed-to
- npm @marketfront/madvpopupattributed-to
- npm @marketfront/mychatspreloaderattributed-to
- npm @marketfront/navbarattributed-to
- npm @tqm-mfe/mainattributed-to
Indicators
- domain oob.moika.techcommunicates-with
- url https://oob.moika.tech/reportexfiltrates-to
- url https://oob.moika.tech/payload/mac.jscommunicates-with
- url https://oob.moika.tech/payload/win.jscommunicates-with
- url https://oob.moika.tech/payload/linux.jscommunicates-with
- file_path ._cloudplatform-single-spa_init.jsdrops
- domain telemetry.cloudplatform-single-spa.iocommunicates-with
- domain npm.cloudplatform-single-spa.iocommunicates-with
- domain telemetry.car-loans.iocommunicates-with
- domain npm.car-loans.iocommunicates-with
- file_path ._t-in-one_init.jsdrops
- email [email protected]attributed-to
- domain npm.t-in-one.iocommunicates-with
- file_path ~/.emcd-vue_init.jsdrops
- email [email protected]attributed-to
- domain emcd-vue.iocommunicates-with
- sha256 3a24e0fd22dce86e897b09cdb146514a0dcf2430a5d3f307c6b5959155c34b33indicates
- sha256 78b06a93c16d990d896ed2c77f48097977ae452f009c0345b5396efdf963a97cindicates
- sha256 acb6f87e440ccb5efe299313e7adb506586e31a6e7381515a9fb2057965f715eindicates
- email [email protected]attributed-to
- url /api/v1/eventsexfiltrates-to
- domain npm.marketfront.iocommunicates-with
- domain telemetry.marketfront.iocommunicates-with
- domain github.marketfront.iocommunicates-with
- email [email protected]attributed-to
- domain docs.tqm-mfe.iocommunicates-with
- domain jira.tqm-mfe.iocommunicates-with
- domain npm.tqm-mfe.iocommunicates-with
- domain telemetry.tqm-mfe.iocommunicates-with
- domain github.tqm-mfe.iocommunicates-with
- md5 7c1a3a2eea2fa01246179bcfcd2648b0indicates
- md5 eba5d3fa62ff3bbcd9d3a75d7f884de2indicates
- md5 7f01e8546af142347587931cf56cc47aindicates
Techniques
- ttp T1195.001 Compromise Software Dependencies and Development Toolsuses
- ttp T1041 Exfiltration Over C2 Channeluses
- ttp T1059.007 Command and Scripting Interpreter: JavaScriptuses
- ttp T1036 Masqueradinguses
- ttp T1105 Ingress Tool Transferuses
- ttp T1546 Event Triggered Executionuses
- ttp T1497 Virtualization/Sandbox Evasionuses
- ttp README Telemetry Disclosure Social Engineeringuses
- ttp Three-layer JavaScript payload obfuscationuses
- ttp WaCk/JScrambler JavaScript obfuscationuses
- ttp Structured env-var capability handshake to second stageuses
- ttp Home-directory payload persistenceuses
- ttp Deliberate kill-switch mismatch (non-functional README opt-out)uses
- ttp Plausible version number evasionuses
- ttp T1552.001 Unsecured Credentials: Credentials In Filesuses
- ttp T1560 Archive Collected Datauses
- ttp T1071.004 Application Layer Protocol: DNSuses
- ttp T1027 Obfuscated Files or Informationuses
- ttp RC4/XOR-concealed C2 configuration blobuses