npm

@t-in-one/add_application

Representative package of the @t-in-one scope (10 packages at 5.7.1, published by t-in-one on 2026-05-29 within a ~43-second batch). Credential/token-themed names (add_application, add_app_middleware_token, get_application_hid, form_product_token, application_id_storage_key_token, only_difference_payload, prefill_credit_data_token, prefill_bundle_data_token, add_application_tid, add_application_service_token) masquerade as internal auth modules. postinstall.js is three-layer obfuscated and reports to oob.moika.tech with the shared X-Secret. Tarball SHA256: 23ccdefb9b917373a4b723d8d482eb6b8880e7e45b0d21cfa5d21d5c27da4918.

discovered 2026-05-29

Threat types

dependency_confusioncredential_stealerdata_exfiltrationc2_agent

Malicious versions

5.7.1

Campaigns

oob-moika-tech-depconf-2026attributed-to

Indicators

urlhttps://oob.moika.tech/reportexfiltrates-to
domainoob.moika.techcommunicates-with
file_path._t-in-one_init.jsdrops
email[email protected]attributed-to
domainnpm.t-in-one.iocommunicates-with

Techniques

ttpThree-layer JavaScript payload obfuscationuses
ttpT1497 Virtualization/Sandbox Evasionuses
ttpT1195.001 Supply Chain Compromise: Compromise Software Dependencies and Development Toolsuses

Read the full analysis →