malware npm
@cloudplatform-single-spa/billing
discovered 2026-05-28Representative package from the @cloudplatform-single-spa scope (122 packages total). All packages at version 99.99.99 published by mr.4nd3r50n on 2026-05-27T21:15 UTC. 120 carry active postinstall payloads; 2 are no-payload placeholders. Packages mirror internal cloud platform services: billing, VPC, Kubernetes, ML inference, IAM, certificate manager, object storage, VDI, bare metal servers, observability, and more.
Threat types
dependency_confusion credential_stealer data_exfiltration c2_agent
Malicious versions
- 99.99.99
Campaigns
Indicators
- domain oob.moika.techcommunicates-with
- url https://oob.moika.tech/reportexfiltrates-to
- url https://oob.moika.tech/payload/mac.jscommunicates-with
- url https://oob.moika.tech/payload/win.jscommunicates-with
- url https://oob.moika.tech/payload/linux.jscommunicates-with
- file_path ._cloudplatform-single-spa_init.jsdrops
- domain telemetry.cloudplatform-single-spa.iocommunicates-with
- domain npm.cloudplatform-single-spa.iocommunicates-with
Techniques
- ttp T1195.001 Supply Chain Compromise: Compromise Software Dependencies and Development Toolsuses
- ttp T1041 Exfiltration Over C2 Channeluses
- ttp T1059.007 Command and Scripting Interpreter: JavaScriptuses
- ttp T1036 Masqueradinguses
- ttp T1105 Ingress Tool Transferuses
- ttp T1546 Event Triggered Executionuses
- ttp T1497 Virtualization/Sandbox Evasionuses
- ttp README Telemetry Disclosure Social Engineeringuses
