Tactics, Techniques & Procedures

Cargo build script (build.rs) executes attacker code at compile time, before any library code or runtime, including in CI.

build.rs walks up from OUT_DIR until it finds the parent of a 'target' directory (the consuming Cargo project root) and runs 'git diff HEAD^ HEAD' to harvest proprietary source code from the victim's local repository, plus 'git log -n 1 --pretty=format:{...}' for commit metadata.

Developer email addresses are harvested from git author metadata captured via 'git log -n 1'.

Uses stolen GitHub credentials of the compromised owner (ocrybit) and the asteroiddao npm account to publish packages and poison repos.

Routes C2 and exfiltration through Tor (custom torrc + downloaded Tor expert bundle) to conceal infrastructure.

eBPF kernel rootkit (q2.bpf.c) hides processes via /proc rewriting and TCP sockets via netlink filtering; requires root and absent kernel lockdown for full effect.

Conceals its own processes, sockets and on-host artifacts via the eBPF component and binary path masquerade.

eBPF rootkit and anti-analysis measures impair host visibility and tooling that would observe the implant.

eBPF component intercepts ptrace and SIGKILLs attached debuggers to frustrate analysis.

eBPF/kernel-level persistence component loaded to survive and re-hook on the host. (Mapped from JFrog's eBPF persistence note.)

Final-stage PE padded to ~86 MB to exceed scanner size limits and evade automated analysis.

Attacker-added lib/core/eval.js carries a fake 1985 mtime to blend with the copied legitimate axios files.

Extensive use of native APIs via koffi FFI library from Electron: Crypt32.dll CryptUnprotectData for DPAPI browser credential decryption, kernel32.dll VirtualAllocEx/WriteProcessMemory/CreateRemoteThread for process injection, and child_process.execFile for PE execution.

Downloads shellcode from C2, XOR-decodes with key 0xAA, spawns suspended dllhost.exe, injects via VirtualAllocEx + WriteProcessMemory + CreateRemoteThread. All Win32 API calls made through koffi FFI from Electron/Node.js runtime.

WebSocket RAT over wss:// Cloudflare quick-tunnel with auto-reconnect. Supports arbitrary cmd.exe and powershell execution with real-time stdout streaming to operator.

Hardcoded blacklists of known sandbox IPs and hostnames. Checks victim IP via ipinfo.io/json and local hostname against lists before proceeding with theft operations.

Wave 3 @emcd-vue/auth@6.4.8 (137.5 KB, entropy 5.04) uses WaCk/JScrambler-style obfuscation: 811-element string array (a0c()) backed by a custom lowercase-first base64 alphabet, integer arithmetic to compute array indices, 5-argument helper proxy functions, and an anti-debug self-checking loop. The 6.4.9 re-publish (13.3 KB) applies the same structure more lightly, enabling static recovery. This is a step beyond the obfuscator.io + custom-alphabet layers used in Wave 2 of the same campaign.

Wave 3 passes six structured FUSION_ environment variables to the spawned second-stage process: FUSION_RECON_ONLY (reconnaissance-only mode flag), FUSION_DEP_CON, FUSION_PKG (@emcd-vue/auth), FUSION_VER (6.4.9), FUSION_SECRET (the X-Secret value), and FUSION_PAYLOAD (payload data). This enables the operator to configure second-stage behavior without modifying the first-stage dropper. FUSION_RECON_ONLY=1 puts the second stage in a passive mode.

Wave 3 writes the second-stage payload to ~/.emcd-vue_init.js (dot-hidden file in the user home directory) rather than os.tmpdir(). Home directories are not cleared by OS or standard cleanup tools, making this a persistence upgrade. The run-once dedup cache is also stored in the home directory (~/.emcd-vue_init/).

Wave 3 README advertises EMCD_VUE_8D440FE1_NO_TEL=1 as the telemetry opt-out env var. The postinstall code checks EMCD_VUE_NO_TELEMETRY. These differ; setting the README variable does nothing. Developers who follow the documented opt-out are still exfiltrated. The hex fragment 8D440FE1 in the README var name indicates deliberate construction. Extends the campaign's README social engineering pattern (fake telemetry disclosure) with an additional deception layer.

Wave 3 packages use version numbers that resemble genuine mature-project releases (6.4.8, 6.4.9, 7.1.7) rather than anomalous strings (99.99.99, 5.7.1) used in Waves 1 and 2. The packages jump directly to these versions with no prior history, which remains a weak signal, but the version numbers themselves do not trigger version-anomaly heuristics common in OSS security tooling.

Abuse of npm GitHub Actions trusted publishing, which binds trust to repository + workflow filename rather than branch/ref/environment.

Runtime per-call-site decryption of ~86 environment-variable names and 20+ credential file paths individually.

Queries AWS IMDS (169.254.169.254), ECS (169.254.170.2), Azure managed identity, and GCP metadata for credentials.

Exchanges the GitHub Actions OIDC token for npm publish tokens via the registry OIDC exchange endpoint.

Attempts Docker socket container escape, mounting /etc/sudoers.d and granting the runner NOPASSWD sudo.

Run-once lock file (core/telemetry/.loader.lock) prevents double-execution. Silent exception catch makes the stager inert in clean environments where _runtime.bin is absent.

Detects CrowdStrike, SentinelOne, Carbon Black, and StepSecurity Harden-Runner.

Pushes oidc-<hex> branches that rewrite the trusted CI workflow, exchanges OIDC for npm publish tokens, repackages legit tarballs with a malicious preinstall, re-signs via Sigstore (Fulcio/Rekor), and republishes with valid provenance.

GitHub API calls use User-Agent python-requests/2.31.0 to blend with tooling traffic.

Wave 2 postinstall.js (~13 KB, entropy ~5.46) layers obfuscator.io output, a custom base64 alphabet, and an integer-shuffle string table. Statically recoverable by alphabet remapping; decodes to the same oob.moika.tech and X-Secret constants Wave 1 used in cleartext. Matches SafeDep YARA rules dynamic_require_double_obscured (critical), js_char_code_at_substitution, js_hex_obfuscation. Distinguishes Wave 2 from Wave 1's plaintext payload and represents an evasion upgrade by the same operator.

Steals credentials from Chrome, Brave, Edge, Vivaldi, Opera, Opera GX, Yandex (DPAPI via koffi FFI into Crypt32.dll) and Firefox (NSS library loader). Extracts saved passwords, cookies, and autofill data.

Windows persistence via schtasks and registry Run key.

macOS persistence via LaunchAgent plist (com.launchkeeper.MicrosoftSystem64).

The malicious Cargo build.rs shells out to external commands (git, curl) on the host during compilation.

Malware payload bundled as a Node.js SEA (Single Executable Application), producing a standalone binary (81 MB) that embeds the Node.js v20.18.2 runtime. Avoids dependency on victim having Node.js installed and obscures the JavaScript payload within a stripped ELF/PE binary.

XOR encryption with 8-byte key [90, 60, 126, 18, 159, 75, 109, 138] used to encrypt embedded configuration including C2 address and HuggingFace token.

Account rotation across multiple npm accounts (jpeek868, jpeek886, jpeek895, pvnd3540749, yggedd817513, toskypi) to sustain publishing after takedowns.

Wave 2 adds a functional T_IN_ONE_NO_TELEMETRY kill switch honored in code and a run-once de-duplication guard (~/.cache/._t-in-one_init/), reducing repeat beacons and analysis surface. Wave 1's telemetry opt-out env vars were README-only social engineering.

Package README declares a fake telemetry feature with a fabricated opt-out environment variable and plausible internal telemetry domain. This normalizes expected outbound network activity at install time. Developers and security reviewers see a disclosure with an opt-out — standard practice for legitimate telemetry — and do not investigate the actual exfiltration POST to oob.moika.tech. The telemetry domains are not functional C2; they exist only in README text as social engineering artifacts. Fake changelog entries with plausible version history further present the package as a mature, ongoing project rather than a fresh first-and-only publish.

Staging web content (proxy pages with injected ad scripts) on infrastructure to target users who visit the proxy.

Mass-publishing packages to npm via automated shell scripts (auto-publish.sh) to rapidly deploy adware infrastructure across many package names.

Service worker intercepts all fetch events in the web proxy, injecting tab-interception scripts into proxied HTML responses to enable popunder ad monetization.

Typosquat of axios published to npm as turbo-axios and faster-axios, copying legitimate axios source and metadata to appear trustworthy while smuggling a postinstall payload.

Copies binary to %LOCALAPPDATA%\Microsoft\Windows\0\svchost.exe and sets HKCU\Software\Microsoft\Windows\CurrentVersion\Run\svchost for boot persistence.

macOS persistence via LaunchAgent plist.

Linux persistence via systemd user service and XDG autostart.

Injects JavaScript into the Exodus desktop wallet to capture the wallet password and BIP-39 seed mnemonic as the user enters them, POSTed to the local listener on 127.0.0.1:8738.

Clipboard monitoring with 1-second polling interval.

Screenshot capture at 60-second intervals, uploaded to HuggingFace datasets.

Collection of .env files, shell history, and host inventory.

Exfiltration of screenshots and stolen credential archives to HuggingFace Hub repositories using embedded API token.

Host inventory collection including installed applications.

Chromium extension LevelDB harvesting across 21+ browsers.

Scheduled scans and automatic upload of collected data.

Malicious package content delivers exploit code intended to execute in a client application context.

Hardcoded 2FA password and recovery email installed on victim accounts via Telegram updateTwoFaSettings, with the operator's IMAP mailbox auto-submitting the confirmation code.

Listens for messages on Telegram's official OTP sender chat 777000 and forwards every login code to operator-controlled bot channels.

Malware propagates or executes across additional systems by abusing remote management channels.

Malware modifies account state, access paths, sessions, or authorization material to expand or preserve access.

_runtime.bin uses // @bun @bun-cjs header with MxGPr9 string-array rotation obfuscation and fromCodePoint decoder — the same javascript-obfuscator pattern documented in Mini Shai-Hulud router_init.js.

Abuses npm OIDC Trusted Publishing token exchange to mint package-scoped automation tokens for self-replication; also steals SCM/registry/CI and AI-provider API tokens.

Malware deletes, corrupts, or otherwise destroys local data or system state.

Abuses legitimate web services for staging and C2: gofile.io anonymous file hosting, Cloudflare quick-tunnel (trycloudflare.com) for multiple distinct tunnels (delivery, exfil API, secondary download, WebSocket RAT, shellcode), ipinfo.io for geolocation, Discord API for token validation.

Python used as the execution trigger: modified __init__.py spawns a daemon thread that imports and calls the stager module at package import time.

Scans Desktop, Downloads, and Documents for GitHub backup codes, Discord tokens, crypto wallet files, and sensitive documents matching keyword+extension patterns (English and French keywords). Extracts BIP-39 seed phrases from MetaMask/Exodus wallet files.

Stolen credentials and host data exfiltrated to a Tor hidden-service C2 (/api/agent), with temp.sh as a Tor-tunneled fallback.

Malware targets SSH keys, wallet private keys, or other private key material.

Malware uses DNS requests as a command-and-control or exfiltration transport.

Extracts browser session cookies from Chromium-based browsers and Firefox for session hijacking.

Malware uses HTTP, HTTPS, or WebSocket traffic for command-and-control or data movement.

Module import event triggers daemon thread execution. Any code path that imports the core.telemetry package — application startup, CI test runs, IDE background processes — silently triggers the stager.

Commits authored as claude@ and as dependabot/renovate/github-actions bot identities with benign messages ('chore: update dependencies', 'fix: resolve lint warnings') to blend with automation; binary disguised as tools/setup and .github/scripts/precheck.

Malicious packages distributed via npm with fabricated/plausible version numbers to win dependency confusion resolution against internal @emcd-vue scope.

package.json postinstall runs node ./lib/core/eval.js; stage 1 retrieves remote JS and executes it via eval(), giving the attacker arbitrary runtime code delivery.

Postinstall hook fetches OS-specific second-stage payload from oob.moika.tech/payload/{mac|win|linux}.js and writes it to the OS temp directory before spawning as a detached process.