oob-moika-tech-depconf-2026
Wave 2 (2026-05-29) of the oob-moika-tech dependency confusion campaign. A third npm account, t-in-one (email [email protected]), published 12 packages across three new scopes: @t-in-one (10 packages at 5.7.1), @capibar.chat/ui-kit (99.5.7), and @sber-ecom-core/sberpay-widget (99.5.8, impersonating Sberbank's SberPay payment widget). All Wave 2 packages reuse the exact C2 host (oob.moika.tech) and the same hardcoded X-Secret value (l95HdDaz3kQx1Zsg3WxH6HvKANf51RY1) as the May 27 Wave 1 packages published by mr.4nd3r50n and pik-libs, tying all three accounts to one operator. Unlike Wave 1's cleartext payload, Wave 2 ships a three-layer-obfuscated postinstall.js (obfuscator.io + custom base64 alphabet + integer-shuffle string table), a functional T_IN_ONE_NO_TELEMETRY kill switch, and a run-once guard at ~/.cache/._t-in-one_init/. The @capibar.chat and @sber-ecom-core scopes were pre-staged with benign 99.0.7 versions on 2026-05-04. See campaign--oob-moika-tech-depconf-2026 (Wave 1 record) for the original 164 packages.
Objective
Exfiltrate developer and CI environment credentials (process.env) and deploy a persistent OS-aware second-stage agent via npm dependency confusion, extending the May 27 campaign to internal auth/token modules and a real bank's payment widget (Sberbank).
Packages
- npm@cloudplatform-single-spa/billingattributed-to
- npm@mlspace/shared-storageattributed-to
- npm@car-loans/mobile-car-loans-applicationattributed-to
- npm@fb-deposit/form-depositattributed-to
- npm@debit-ib/mobile-debit-ib-additional-card-formattributed-to
- npm@t-in-one/add_applicationattributed-to
- npm@capibar.chat/ui-kitattributed-to
- npm@sber-ecom-core/sberpay-widgetattributed-to
Indicators
- domainoob.moika.techcommunicates-with
- urlhttps://oob.moika.tech/reportexfiltrates-to
- urlhttps://oob.moika.tech/payload/mac.jscommunicates-with
- urlhttps://oob.moika.tech/payload/win.jscommunicates-with
- urlhttps://oob.moika.tech/payload/linux.jscommunicates-with
- file_path._cloudplatform-single-spa_init.jsdrops
- domaintelemetry.cloudplatform-single-spa.iocommunicates-with
- domainnpm.cloudplatform-single-spa.iocommunicates-with
- domaintelemetry.car-loans.iocommunicates-with
- domainnpm.car-loans.iocommunicates-with
- file_path._t-in-one_init.jsdrops
- email[email protected]attributed-to
- domainnpm.t-in-one.iocommunicates-with
Techniques
- ttpT1195.001 Supply Chain Compromise: Compromise Software Dependencies and Development Toolsuses
- ttpT1041 Exfiltration Over C2 Channeluses
- ttpT1059.007 Command and Scripting Interpreter: JavaScriptuses
- ttpT1036 Masqueradinguses
- ttpT1105 Ingress Tool Transferuses
- ttpT1546 Event Triggered Executionuses
- ttpT1497 Virtualization/Sandbox Evasionuses
- ttpREADME Telemetry Disclosure Social Engineeringuses
- ttpThree-layer JavaScript payload obfuscationuses
