malware npm

@tqm-mfe/main

discovered 2026-07-01

Single-package @tqm-mfe scope, a same-day sibling of the 25-package @marketfront Wave 4 batch in the oob-moika-tech dependency-confusion campaign. Published by npm user t.tqm.mfe (email [email protected], Proton Mail — a NEW actor email distinct from [email protected]). Scope created 2026-07-01T17:12:57Z. Two versions: 5.4.7 (2026-07-01T17:12:58Z, postinstall.js md5 7c1a3a2eea2fa01246179bcfcd2648b0) and 5.5.0 (2026-07-01T19:16:38Z, dist-tag latest, changelog claims 'Added ARM64 support', postinstall.js md5 eba5d3fa62ff3bbcd9d3a75d7f884de2 — DIFFERS between versions). COVER IDENTITY / TARGETING: description 'ESLint configs for Angular apps'; the README Quick Start imports @tinkoff/eslint-config/app, @tinkoff/eslint-config-angular and a tinkoffConfig — the scope impersonates Tinkoff / T-Bank internal Angular ESLint tooling ('tqm-mfe' reads as a Tinkoff-adjacent micro-frontend namespace). Campaign markers present: README lure 'Internal package — Platform Engineering Team'; author 'Tqm-Mfe Platform Engineering <[email protected]>'; scope-parameterized docs/jira/npm/telemetry/github.tqm-mfe.io metadata; internal-registry lure registry=https://npm.tqm-mfe.io. Payload: postinstall 'node scripts/postinstall.js', an obfuscator.io-style single-line ~182 KB script (larger than the ~160 KB @marketfront/@emcd-vue samples) with the same RC4/XOR-behind-base64 obfuscation class as @marketfront; static hex-escape decode yielded only fragments ('headers', 'wDnsNs', and an UNCONFIRMED 32-char token BenVAhu4A2PxuvrTvZzlC1DqBvjxn3PO — candidate RC4 key or X-Secret value). Ships the same non-functional decoy dist/index.js (md5 7f01e8546af142347587931cf56cc47a, identical across both versions) that require()s a ../src/index.js absent from the tarball. INFERRED (family match + obfuscation class, NOT independently decoded for this sample): credential-file harvester (~20 files including ~/.ssh, ~/.aws/credentials, ~/.kube/config, ~/.docker/config.json, ~/.npmrc, ~/.netrc, ~/.pgpass, ~/.git-credentials, ~/.env, shell history) exfiltrated as a gzip HTTPS POST with a custom X-Secret header to /api/v1/events, plus a DNS resolver beacon. The C2 host was NOT statically resolved (RC4+XOR-concealed); no C2 domain is asserted for this sample.

Threat types

dependency_confusion credential_stealer data_exfiltration

Malicious versions

  • 5.4.7
  • 5.5.0

Campaigns

Indicators

Techniques

Read the full analysis →