npm

@emcd-vue/auth

discovered 2026-06-01

Wave 3 dropper published by emcd-vue on 2026-06-01. Version 6.4.8 (137.5 KB, entropy 5.04) is the original WaCk/JScrambler-obfuscated dropper. Version 6.4.9 (13.3 KB) is a lighter re-publish 22 minutes later with the same logic, used for static analysis recovery. Both carry the same X-Secret (l95HdDaz3kQx1Zsg3WxH6HvKANf51RY1) and report to oob.moika.tech. Payload written to ~/.emcd-vue_init.js; FUSION_ env-var protocol passed to second stage.

Threat types

dependency_confusion credential_stealer data_exfiltration c2_agent persistence

Malicious versions

6.4.8
6.4.9

Campaigns

oob-moika-tech-depconf-2026attributed-to

Indicators

url https://oob.moika.tech/reportexfiltrates-to
domain oob.moika.techcommunicates-with
file_path ~/.emcd-vue_init.jsdrops
email [email protected]attributed-to
domain emcd-vue.iocommunicates-with

Techniques

ttp WaCk/JScrambler JavaScript obfuscationuses
ttp Structured env-var capability handshake to second stageuses
ttp Home-directory payload persistenceuses
ttp Deliberate kill-switch mismatch (non-functional README opt-out)uses
ttp Plausible version number evasionuses
ttp T1195.001 Supply Chain Compromise: Compromise Software Dependencies and Development Toolsuses
ttp T1036 Masqueradinguses
ttp T1497 Virtualization/Sandbox Evasionuses

Read the full analysis →