npm

@sber-ecom-core/sberpay-widget

Dependency-confusion impersonation of Sberbank's internal SberPay payment widget, published by t-in-one. Version 99.5.8 is latest; 99.5.7 also published 2026-05-29; scope pre-staged with benign-versioned 99.0.7 on 2026-05-04. Confirms the campaign's financial-sector / Russian-market targeting. Same C2 and X-Secret as the rest of the campaign.

discovered 2026-05-29

Threat types

dependency_confusioncredential_stealerdata_exfiltrationc2_agent

Malicious versions

99.0.7
99.5.7
99.5.8

Campaigns

oob-moika-tech-depconf-2026attributed-to

Indicators

urlhttps://oob.moika.tech/reportexfiltrates-to

Techniques

ttpT1036 Masqueradinguses

Read the full analysis →