{"campaign":{"name":"oob-moika-tech-depconf-2026","slug":"oob-moika-tech-depconf-2026","href":"/ti/campaigns/oob-moika-tech-depconf-2026","description":"Wave 2 (2026-05-29) of the oob-moika-tech dependency confusion campaign. A third npm account, t-in-one (email nath.dr4k3@gmail.com), published 12 packages across three new scopes: @t-in-one (10 packages at 5.7.1), @capibar.chat/ui-kit (99.5.7), and @sber-ecom-core/sberpay-widget (99.5.8, impersonating Sberbank's SberPay payment widget). All Wave 2 packages reuse the exact C2 host (oob.moika.tech) and the same hardcoded X-Secret value (l95HdDaz3kQx1Zsg3WxH6HvKANf51RY1) as the May 27 Wave 1 packages published by mr.4nd3r50n and pik-libs, tying all three accounts to one operator. Unlike Wave 1's cleartext payload, Wave 2 ships a three-layer-obfuscated postinstall.js (obfuscator.io + custom base64 alphabet + integer-shuffle string table), a functional T_IN_ONE_NO_TELEMETRY kill switch, and a run-once guard at ~/.cache/._t-in-one_init/. The @capibar.chat and @sber-ecom-core scopes were pre-staged with benign 99.0.7 versions on 2026-05-04. See campaign--oob-moika-tech-depconf-2026 (Wave 1 record) for the original 164 packages.","objective":"Exfiltrate developer and CI environment credentials (process.env) and deploy a persistent OS-aware second-stage agent via npm dependency confusion, extending the May 27 campaign to internal auth/token modules and a real bank's payment widget (Sberbank).","aliases":[],"discovered_at":"2026-05-28"},"packages":[{"ecosystem":"npm","name":"@cloudplatform-single-spa/billing","href":"/ti/packages/npm/@cloudplatform-single-spa/billing","threat_types":["dependency_confusion","credential_stealer","data_exfiltration","c2_agent"],"versions":["99.99.99"]},{"ecosystem":"npm","name":"@mlspace/shared-storage","href":"/ti/packages/npm/@mlspace/shared-storage","threat_types":["dependency_confusion","credential_stealer","data_exfiltration","c2_agent"],"versions":["99.99.99"]},{"ecosystem":"npm","name":"@car-loans/mobile-car-loans-application","href":"/ti/packages/npm/@car-loans/mobile-car-loans-application","threat_types":["dependency_confusion","credential_stealer","data_exfiltration","c2_agent"],"versions":["99.99.99"]},{"ecosystem":"npm","name":"@fb-deposit/form-deposit","href":"/ti/packages/npm/@fb-deposit/form-deposit","threat_types":["dependency_confusion","credential_stealer","data_exfiltration","c2_agent"],"versions":["99.99.99"]},{"ecosystem":"npm","name":"@debit-ib/mobile-debit-ib-additional-card-form","href":"/ti/packages/npm/@debit-ib/mobile-debit-ib-additional-card-form","threat_types":["dependency_confusion","credential_stealer","data_exfiltration","c2_agent"],"versions":["99.99.99"]},{"ecosystem":"npm","name":"@t-in-one/add_application","href":"/ti/packages/npm/@t-in-one/add_application","threat_types":["dependency_confusion","credential_stealer","data_exfiltration","c2_agent"],"versions":["5.7.1"]},{"ecosystem":"npm","name":"@capibar.chat/ui-kit","href":"/ti/packages/npm/@capibar.chat/ui-kit","threat_types":["dependency_confusion","credential_stealer","data_exfiltration","c2_agent"],"versions":["99.0.7","99.5.7"]},{"ecosystem":"npm","name":"@sber-ecom-core/sberpay-widget","href":"/ti/packages/npm/@sber-ecom-core/sberpay-widget","threat_types":["dependency_confusion","credential_stealer","data_exfiltration","c2_agent"],"versions":["99.0.7","99.5.7","99.5.8"]}],"indicators":[{"kind":"domain","value":"oob.moika.tech","href":"/ti/ioc/domain/oob.moika.tech","context":"C2 infrastructure for all 162 active-payload packages. Hosts the /report exfiltration endpoint and /payload/{mac|win|linux}.js second-stage scripts."},{"kind":"url","value":"https://oob.moika.tech/report","href":"/ti/ioc/url/url-0f283ce50690","context":"Exfiltration endpoint. Receives HTTP POST with process.env, hostname, username, platform, arch, cwd, Node.js version, and X-Secret authentication header."},{"kind":"url","value":"https://oob.moika.tech/payload/mac.js","href":"/ti/ioc/url/url-5b6a9aeee063","context":"Second-stage payload for macOS, fetched by postinstall hook on darwin systems."},{"kind":"url","value":"https://oob.moika.tech/payload/win.js","href":"/ti/ioc/url/url-fd0e7e849589","context":"Second-stage payload for Windows, fetched by postinstall hook on win32 systems."},{"kind":"url","value":"https://oob.moika.tech/payload/linux.js","href":"/ti/ioc/url/url-ebd523705dbe","context":"Second-stage payload for Linux, fetched by postinstall hook on linux systems."},{"kind":"file_path","value":"._cloudplatform-single-spa_init.js","href":"/ti/ioc/file_path/file_path-b7d5e2a03a48","context":"Temp file written by the postinstall hook when downloading the second-stage payload. Written to the OS temp directory (os.tmpdir()). Name is consistent across all packages regardless of scope."},{"kind":"domain","value":"telemetry.cloudplatform-single-spa.io","href":"/ti/ioc/domain/telemetry.cloudplatform-single-spa.io","context":"Fabricated telemetry domain appearing only in @cloudplatform-single-spa scope README text. Social engineering artifact — not confirmed functional C2. Declared opt-out: CLOUDPLATFORM_SINGLE_SPA_NO_TELEMETRY=1. Actual exfiltration target is oob.moika.tech."},{"kind":"domain","value":"npm.cloudplatform-single-spa.io","href":"/ti/ioc/domain/npm.cloudplatform-single-spa.io","context":"Fabricated private npm registry domain in @cloudplatform-single-spa README. Social engineering artifact confirming target org uses a private npm registry. Not confirmed functional infrastructure."},{"kind":"domain","value":"telemetry.car-loans.io","href":"/ti/ioc/domain/telemetry.car-loans.io","context":"Fabricated telemetry domain appearing only in @car-loans scope README text. Social engineering artifact — not confirmed functional C2. Declared opt-out: CAR_LOANS_NO_TELEMETRY=1. Actual exfiltration target is oob.moika.tech."},{"kind":"domain","value":"npm.car-loans.io","href":"/ti/ioc/domain/npm.car-loans.io","context":"Fabricated private npm registry domain in @car-loans README and .npmrc comment (registry=https://npm.car-loans.io). Social engineering artifact confirming target org uses a private npm registry — the precondition for dependency confusion. Not confirmed functional infrastructure."},{"kind":"file_path","value":"._t-in-one_init.js","href":"/ti/ioc/file_path/file_path-aee3ea2cd2fb","context":"Second-stage dropper written to the OS temp directory (os.tmpdir()) by the Wave 2 postinstall hook, then spawned detached. Follows the same ._<scope>_init.js naming pattern as Wave 1's ._cloudplatform-single-spa_init.js."},{"kind":"email","value":"nath.dr4k3@gmail.com","href":"/ti/ioc/email/nath.dr4k3@gmail.com","context":"npm maintainer email for the t-in-one account that published the 12 Wave 2 packages. First email identity tied to the oob-moika-tech campaign (Wave 1 accounts mr.4nd3r50n and pik-libs had no public email)."},{"kind":"domain","value":"npm.t-in-one.io","href":"/ti/ioc/domain/npm.t-in-one.io","context":"Fabricated internal npm registry domain in the @t-in-one README and .npmrc lure (registry=https://npm.t-in-one.io). Social engineering artifact; not confirmed functional infrastructure."}],"ttps":[{"name":"Supply Chain Compromise: Compromise Software Dependencies and Development Tools","mitre_attack_id":"T1195.001","href":"/ti/ttps/T1195.001"},{"name":"Exfiltration Over C2 Channel","mitre_attack_id":"T1041","href":"/ti/ttps/T1041"},{"name":"Command and Scripting Interpreter: JavaScript","mitre_attack_id":"T1059.007","href":"/ti/ttps/T1059.007"},{"name":"Masquerading","mitre_attack_id":"T1036","href":"/ti/ttps/T1036"},{"name":"Ingress Tool Transfer","mitre_attack_id":"T1105","href":"/ti/ttps/T1105"},{"name":"Event Triggered Execution","mitre_attack_id":"T1546","href":"/ti/ttps/T1546"},{"name":"Virtualization/Sandbox Evasion","mitre_attack_id":"T1497","href":"/ti/ttps/T1497"},{"name":"README Telemetry Disclosure Social Engineering","href":"/ti/ttps/readme-telemetry-disclosure-social-engineering"},{"name":"Three-layer JavaScript payload obfuscation","href":"/ti/ttps/three-layer-js-obfuscation"}],"related_campaigns":[],"reports":[{"title":"oob.moika.tech Dependency Confusion: 164 npm Packages Target Cloud Platform and Fintech Organizations","url":"https://safedep.io/oob-moika-tech-dependency-confusion-campaign","published_at":"2026-05-28"},{"title":"oob.moika.tech Dependency Confusion Wave 2: Third npm Account Adds 12 Packages, Sberbank Impersonation, and an Obfuscated Payload","url":"https://safedep.io/oob-moika-tech-dependency-confusion-campaign","published_at":"2026-05-29"}]}