Wave 3 (2026-06-01) of the oob-moika-tech dependency confusion campaign. A fourth npm account, emcd-vue (email emcd-vue@proton.me), published at least 3 confirmed packages in the @emcd-vue scope, impersonating EMCD (emcd.io) — a real Russian cryptocurrency mining pool and exchange. The same hardcoded X-Secret (l95HdDaz3kQx1Zsg3WxH6HvKANf51RY1) ties this wave to all prior accounts. Wave 3 is the campaign's most advanced iteration: WaCk/JScrambler obfuscation (811-element string array, custom lowercase-first base64 alphabet, integer-arithmetic indexing, 5-arg helper proxy functions, anti-debug self-check); payload written to ~/.emcd-vue_init.js in the home directory rather than OS temp; FUSION_ env-var handshake protocol to the second stage (FUSION_RECON_ONLY, FUSION_DEP_CON, FUSION_PKG, FUSION_VER, FUSION_SECRET, FUSION_PAYLOAD); architecture-qualified platform payload URLs (linux-x64, darwin-arm64, win); plausible version numbers (6.4.8/6.4.9/7.1.7) that evade version-anomaly heuristics; README kill switch (EMCD_VUE_8D440FE1_NO_TEL) deliberately mismatched from the functional code kill switch (EMCD_VUE_NO_TELEMETRY).
Objective
Exfiltrate developer and CI environment credentials (process.env) and deploy a persistent OS-aware second-stage agent via npm dependency confusion, extending the May 27 campaign to internal auth/token modules and a real bank's payment widget (Sberbank).
Packages
- npm @cloudplatform-single-spa/billingattributed-to
- npm @mlspace/shared-storageattributed-to
- npm @car-loans/mobile-car-loans-applicationattributed-to
- npm @fb-deposit/form-depositattributed-to
- npm @debit-ib/mobile-debit-ib-additional-card-formattributed-to
- npm @t-in-one/add_applicationattributed-to
- npm @capibar.chat/ui-kitattributed-to
- npm @sber-ecom-core/sberpay-widgetattributed-to
- npm @emcd-vue/authattributed-to
- npm @emcd-vue/loansattributed-to
- npm @emcd-vue/b2b-pay-formattributed-to
Indicators
- domain oob.moika.techcommunicates-with
- url https://oob.moika.tech/reportexfiltrates-to
- url https://oob.moika.tech/payload/mac.jscommunicates-with
- url https://oob.moika.tech/payload/win.jscommunicates-with
- url https://oob.moika.tech/payload/linux.jscommunicates-with
- file_path ._cloudplatform-single-spa_init.jsdrops
- domain telemetry.cloudplatform-single-spa.iocommunicates-with
- domain npm.cloudplatform-single-spa.iocommunicates-with
- domain telemetry.car-loans.iocommunicates-with
- domain npm.car-loans.iocommunicates-with
- file_path ._t-in-one_init.jsdrops
- email nath.dr4k3@gmail.comattributed-to
- domain npm.t-in-one.iocommunicates-with
- file_path ~/.emcd-vue_init.jsdrops
- email emcd-vue@proton.meattributed-to
- domain emcd-vue.iocommunicates-with
Techniques
- ttp T1195.001 Supply Chain Compromise: Compromise Software Dependencies and Development Toolsuses
- ttp T1041 Exfiltration Over C2 Channeluses
- ttp T1059.007 Command and Scripting Interpreter: JavaScriptuses
- ttp T1036 Masqueradinguses
- ttp T1105 Ingress Tool Transferuses
- ttp T1546 Event Triggered Executionuses
- ttp T1497 Virtualization/Sandbox Evasionuses
- ttp README Telemetry Disclosure Social Engineeringuses
- ttp Three-layer JavaScript payload obfuscationuses
- ttp WaCk/JScrambler JavaScript obfuscationuses
- ttp Structured env-var capability handshake to second stageuses
- ttp Home-directory payload persistenceuses
- ttp Deliberate kill-switch mismatch (non-functional README opt-out)uses
- ttp Plausible version number evasionuses
