T1105
Ingress Tool Transfer
discovered 2024-11-04Postinstall hook fetches OS-specific second-stage payload from oob.moika.tech/payload/{mac|win|linux}.js and writes it to the OS temp directory before spawning as a detached process.
View on MITRE ATT&CKSeen in packages
- npm llm-oracleuses
- npm redis-oracleuses
- npm chrome-api-utilsuses
- npm grafana-sentry-datasourceuses
- npm @patternfly-v5/patternflyuses
- npm electron-builder-13uses
- npm graphql.vscode-graphql-syntaxuses
- npm mattermost-cloudnative-bootstrapperuses
- npm nyc-configuses
- npm eslint-config-prettieruses
- npm eslint-plugin-prettieruses
- npm snyckituses
- npm @pkgr/coreuses
- npm napi-postinstalluses
- pypi bitensoruses
- pypi bittenso-cliuses
- pypi qbittensoruses
- pypi bittensouses
- npm ansi-stylesuses
- npm debuguses
- npm chalkuses
- npm supports-coloruses
- npm strip-ansiuses
- npm ansi-regexuses
- npm wrap-ansiuses
- npm color-convertuses
- npm color-nameuses
- npm is-arrayishuses
- npm slice-ansiuses
- npm error-exuses
- npm color-stringuses
- npm simple-swizzleuses
- npm supports-hyperlinksuses
- npm has-ansiuses
- npm chalk-templateuses
- npm backslashuses
- npm @ctrl/tinycoloruses
- npm hyatt-residential-rosteruses
- npm hyatt-albumuses
- npm hyatt-avataruses
- npm @zapier/zapier-sdkuses
- npm @asyncapi/specsuses
- npm @quick-start-soft/quick-markdown-printuses
- npm @quick-start-soft/quick-markdownuses
- npm @quick-start-soft/quick-remove-image-backgrounduses
- npm @quick-start-soft/quick-git-clean-markdownuses
- npm @quick-start-soft/quick-document-translatoruses
- npm @quick-start-soft/quick-markdown-imageuses
- npm @quick-start-soft/quick-task-refineuses
- npm @asyncapi/modelinauses
- npm posthog-react-nativeuses
- npm posthog-nodeuses
- npm @postman/secret-scanner-wasmuses
- npm @postman/csv-parseuses
- npm @postman/node-keytaruses
- npm @postman/tunnel-agentuses
- npm @postman/wdio-allure-reporteruses
- npm @postman/postman-mcp-cliuses
- npm @postman/mcp-ui-clientuses
- npm @postman/wdio-junit-reporteruses
- npm @postman/pm-bin-macos-arm64uses
- npm @postman/pm-bin-linux-x64uses
- npm @postman/aether-iconsuses
- npm @Schedaero/shareduses
- npm react-refresh-updateuses
- pypi litellmuses
- npm oc-aa-module-clientuses
- npm @wame/ngx-adfsuses
- npm @the-coca-cola-company/ngps-global-common-utilsuses
- npm cr-static-shared-componentsuses
- npm @ceeferenderer/fe-renderer-sdkuses
- pypi telnyxuses
- npm axiosuses
- npm express-session-jsuses
- npm mgcuses
- npm strapi-plugin-cronuses
- npm strapi-plugin-configuses
- npm strapi-plugin-serveruses
- npm strapi-plugin-databaseuses
- npm strapi-plugin-coreuses
- npm strapi-plugin-hooksuses
- npm strapi-plugin-monitoruses
- npm strapi-plugin-eventsuses
- npm strapi-plugin-loggeruses
- npm strapi-plugin-healthuses
- npm strapi-plugin-syncuses
- npm strapi-plugin-seeduses
- npm strapi-plugin-localeuses
- npm strapi-plugin-formuses
- npm strapi-plugin-notifyuses
- npm strapi-plugin-apiuses
- npm strapi-plugin-sitemap-genuses
- npm strapi-plugin-nordica-toolsuses
- npm strapi-plugin-nordica-syncuses
- npm strapi-plugin-nordica-cmsuses
- npm strapi-plugin-nordica-apiuses
- npm strapi-plugin-nordica-reconuses
- npm strapi-plugin-nordica-stageuses
- npm strapi-plugin-nordica-vhostuses
- npm strapi-plugin-nordica-deepuses
- npm strapi-plugin-nordica-liteuses
- npm strapi-plugin-nordicauses
- npm strapi-plugin-finsevenuses
- npm strapi-plugin-hextestuses
- npm strapi-plugin-cms-toolsuses
- npm strapi-plugin-content-syncuses
- npm strapi-plugin-debug-toolsuses
- npm strapi-plugin-health-checkuses
- npm strapi-plugin-guardarian-extuses
- npm strapi-plugin-advanced-uuiduses
- npm strapi-plugin-blurhashuses
- npm @velora-dex/sdkuses
- npm sjs-bigintegeruses
- npm sjs-lint-build1uses
- npm bjs-bigintegeruses
- npm bjs-lint-builderuses
- npm bjs-lint-buildersuses
- npm cjs-bigintegeruses
- npm ts-lint-buildsuses
- npm @genoma-ui/componentsuses
- npm rrweb-v1uses
- npm @needl-ai/commonuses
- npm dom-utils-liteuses
- npm centraloggeruses
- npm forge-jsxuses
- npm @johntaohunter/forge-jsxuses
- npm js-logger-packuses
- npm ixpresso-coreuses
- npm godsplanuses
- npm eyevoxuses
- npm @bitwarden/cliuses
- npm @cap-js/sqliteuses
- npm @cap-js/postgresuses
- npm @cap-js/db-serviceuses
- npm mbtuses
- npm npm-global-utiluses
- pypi pytorch-lightninguses
- npm exioussuses
- npm common-tg-serviceuses
- npm ams-sskuses
- npm node-env-resolveuses
- npm martinez-polygon-clipping-tonyuses
- npm noon-contractsuses
- npm iceberg-javascriptuses
- npm supabase-javascriptuses
- npm auth-javascriptuses
- npm microsoft-applicationinsights-commonuses
- npm ms-graph-typesuses
- npm node-ipcuses
- npm ai-figureuses
- npm amapcnuses
- npm @antv/a8uses
- npm @antv/adjustuses
- npm @antv/algorithmuses
- npm @antv/async-hookuses
- npm @antv/attruses
- npm @antv/avauses
- npm @antv/ava-reactuses
- npm @antv/awardsuses
- npm @antv/calendar-heatmapuses
- npm @antv/chart-linteruses
- npm @antv/chart-node-g6uses
- npm @antv/chart-visualization-skillsuses
- npm @antv/ckbuses
- npm @antv/color-schemauses
- npm @antv/color-utiluses
- npm @antv/componentuses
- npm @antv/coorduses
- npm @antv/d3-coloruses
- npm @antv/d3-interpolateuses
- npm @antv/data-samplesuses
- npm @antv/data-setuses
- npm @antv/data-wizarduses
- npm @antv/dipper-componentuses
- npm @antv/dipper-hooksuses
- npm @antv/dipper-mapuses
- npm @antv/dom-utiluses
- npm @antv/dumi-theme-antvuses
- npm @antv/dw-analyzeruses
- npm @antv/dw-randomuses
- npm @antv/dw-transformuses
- npm @antv/dw-utiluses
- npm @antv/event-emitteruses
- npm @antv/expruses
- npm @antv/f2uses
- npm @antv/f2-algorithmuses
- npm @antv/f2-canvasuses
- npm @antv/f2-contextuses
- npm @antv/f2-graphicuses
- npm @antv/f2-myuses
- npm @antv/f2-reactuses
- npm @antv/f2-siteuses
- npm @antv/f2-vueuses
- npm @antv/f2-wordclouduses
- npm @antv/f2-wxuses
- npm @antv/f6uses
- npm @antv/f6-alipayuses
- npm @antv/f6-coreuses
- npm @antv/f6-elementuses
- npm @antv/f6-hammerjsuses
- npm @antv/f6-pluginuses
- npm @antv/f6-uiuses
- npm @antv/f6-wxuses
- npm @antv/f-chartsuses
- npm @antv/f-engineuses
- npm @antv/f-lottieuses
- npm @antv/f-myuses
- npm @antv/f-reactuses
- npm @antv/f-test-utilsuses
- npm @antv/f-vueuses
- npm @antv/f-wxuses
- npm @antv/g2uses
- npm @antv/g2-brushuses
- npm @antv/g2-extension-3duses
- npm @antv/g2-extension-avauses
- npm @antv/g2-extension-plotuses
- npm @antv/g2plotuses
- npm @antv/g2plot-schemasuses
- npm @antv/g2-plugin-slideruses
- npm @antv/g2-ssruses
- npm @antv/guses
- npm @antv/g6uses
- npm @antv/g6-alipayuses
- npm @antv/g6-cliuses
- npm @antv/g6-coreuses
- npm @antv/g6-editoruses
- npm @antv/g6-elementuses
- npm @antv/g6-extension-3duses
- npm @antv/g6-extension-reactuses
- npm @antv/g6-mobileuses
- npm @antv/g6-pcuses
- npm @antv/g6-pluginuses
- npm @antv/g6-plugin-map-viewuses
- npm @antv/g6-pluginsuses
- npm @antv/g6-react-nodeuses
- npm @antv/g6-ssruses
- npm @antv/g6-wxuses
- npm @antv/gatsby-themeuses
- npm @antv/g-baseuses
- npm @antv/g-camera-apiuses
- npm @antv/g-canvasuses
- npm @antv/g-canvaskituses
- npm @antv/g-compatuses
- npm @antv/g-componentsuses
- npm @antv/g-css-layout-apiuses
- npm @antv/g-css-typed-om-apiuses
- npm @antv/g-device-apiuses
- npm @antv/g-dom-mutation-observer-apiuses
- npm @antv/geo-coorduses
- npm @antv/g-gestureuses
- npm @antv/gi-assets-advanceuses
- npm @antv/gi-assets-algorithmuses
- npm @antv/gi-assets-basicuses
- npm @antv/gi-assets-galaxybaseuses
- npm @antv/gi-assets-graphscopeuses
- npm @antv/gi-assets-hugegraphuses
- npm @antv/gi-assets-janusgraphuses
- npm @antv/gi-assets-neo4juses
- npm @antv/gi-assets-sceneuses
- npm @antv/gi-assets-tugraphuses
- npm @antv/gi-assets-tugraph-analyticsuses
- npm @antv/gi-assets-xlabuses
- npm @antv/gi-cliuses
- npm @antv/gi-common-componentsuses
- npm @antv/g-image-exporteruses
- npm @antv/gi-mock-datauses
- npm @antv/gi-public-datauses
- npm @antv/gi-sdkuses
- npm @antv/gi-sdk-appuses
- npm @antv/gi-theme-antduses
- npm @antv/github-config-cliuses
- npm @antv/g-layout-blocklikeuses
- npm @antv/g-liteuses
- npm @antv/gl-matrixuses
- npm @antv/g-lottie-playeruses
- npm @antv/g-mathuses
- npm @antv/g-mobileuses
- npm @antv/g-mobile-canvasuses
- npm @antv/g-mobile-canvas-elementuses
- npm @antv/g-mobile-svguses
- npm @antv/g-mobile-webgluses
- npm @antv/g-patternuses
- npm @antv/g-perfuses
- npm @antv/g-plugin-3duses
- npm @antv/g-plugin-a11yuses
- npm @antv/g-plugin-annotationuses
- npm @antv/g-plugin-box2duses
- npm @antv/g-plugin-canvaskit-rendereruses
- npm @antv/g-plugin-canvas-path-generatoruses
- npm @antv/g-plugin-canvas-pickeruses
- npm @antv/g-plugin-canvas-rendereruses
- npm @antv/g-plugin-controluses
- npm @antv/g-plugin-css-selectuses
- npm @antv/g-plugin-device-rendereruses
- npm @antv/g-plugin-dom-interactionuses
- npm @antv/g-plugin-dragndropuses
- npm @antv/g-plugin-gestureuses
- npm @antv/g-plugin-gpgpuuses
- npm @antv/g-plugin-html-rendereruses
- npm @antv/g-plugin-image-loaderuses
- npm @antv/g-plugin-matterjsuses
- npm @antv/g-plugin-mobile-interactionuses
- npm @antv/g-plugin-physxuses
- npm @antv/g-plugin-rough-canvas-rendereruses
- npm @antv/g-plugin-rough-svg-rendereruses
- npm @antv/g-plugin-svg-pickeruses
- npm @antv/g-plugin-svg-rendereruses
- npm @antv/g-plugin-webgl-deviceuses
- npm @antv/g-plugin-webgl-rendereruses
- npm @antv/g-plugin-webgpu-deviceuses
- npm @antv/g-plugin-yogauses
- npm @antv/g-plugin-zdog-canvas-rendereruses
- npm @antv/g-plugin-zdog-svg-rendereruses
- npm @antv/gpt-visuses
- npm @antv/gpt-vis-ssruses
- npm @antv/graphinuses
- npm @antv/graphin-componentsuses
- npm @antv/graphin-graphscopeuses
- npm @antv/graphin-iconsuses
- npm @antv/graphlibuses
- npm @antv/g-shader-componentsuses
- npm @antv/g-svguses
- npm @antv/g-web-animations-apiuses
- npm @antv/g-web-componentsuses
- npm @antv/g-webgluses
- npm @antv/g-webgl-computeuses
- npm @antv/g-webgpuuses
- npm @antv/g-webgpu-compileruses
- npm @antv/g-webgpu-coreuses
- npm @antv/g-webgpu-engineuses
- npm @antv/g-webgpu-raytraceruses
- npm @antv/g-webgpu-unitchartuses
- npm @antv/hierarchyuses
- npm @antv/infographicuses
- npm @antv/insight-componentuses
- npm @antv/interactionuses
- npm @antv/istanbuluses
- npm @antv/knowledgeuses
- npm @antv/l7uses
- npm @antv/l7-componentuses
- npm @antv/l7-composite-layersuses
- npm @antv/l7-coreuses
- npm @antv/l7-districtuses
- npm @antv/l7-drawuses
- npm @antv/l7-editoruses
- npm @antv/l7-extension-g-layeruses
- npm @antv/l7-layersuses
- npm @antv/l7-leafletuses
- npm @antv/l7-mapuses
- npm @antv/l7-mapkituses
- npm @antv/l7-mapsuses
- npm @antv/l7-miniuses
- npm @antv/l7-passuses
- npm @antv/l7plotuses
- npm @antv/l7plot-componentuses
- npm @antv/l7-reactuses
- npm @antv/l7-rendereruses
- npm @antv/l7-sceneuses
- npm @antv/l7-sourceuses
- npm @antv/l7-threeuses
- npm @antv/l7-utilsuses
- npm @antv/larkmapuses
- npm @antv/layout-gpuuses
- npm @antv/layout-wasmuses
- npm @antv/li-aiearth-assetsuses
- npm @antv/li-analysis-assetsuses
- npm @antv/li-core-assetsuses
- npm @antv/li-editoruses
- npm @antv/li-p2uses
- npm @antv/li-sam-assetsuses
- npm @antv/li-sdkuses
- npm @antv/lite-insightuses
- npm @antv/matrix-utiluses
- npm @antv/mcp-server-antvuses
- npm @antv/mcp-server-chartuses
- npm @antv/my-f2uses
- npm @antv/my-f2-pcuses
- npm @antv/narrative-text-editoruses
- npm @antv/narrative-text-schemauses
- npm @antv/narrative-text-visuses
- npm @antv/path-utiluses
- npm @antv/react-guses
- npm @antv/s2uses
- npm @antv/s2-reactuses
- npm @antv/s2-react-componentsuses
- npm @antv/s2-ssruses
- npm @antv/s2-vueuses
- npm @antv/samuses
- npm @antv/scaleuses
- npm @antv/semantic-release-pnpmuses
- npm @antv/smart-coloruses
- npm @antv/statuses
- npm @antv/t8uses
- npm @antv/thumbnailsuses
- npm @antv/thumbnails-componentuses
- npm @antv/torchuses
- npm @antv/translatoruses
- npm @antv/utiluses
- npm @antv/vendoruses
- npm @antv/vis-predict-engineuses
- npm @antv/webgpu-graphuses
- npm @antv/word-scale-chartuses
- npm @antv/wx-f2uses
- npm @antv/x6uses
- npm @antv/x6-angular-shapeuses
- npm @antv/x6-commonuses
- npm @antv/x6-componentsuses
- npm @antv/x6-geometryuses
- npm @antv/x6-plugin-clipboarduses
- npm @antv/x6-plugin-dnduses
- npm @antv/x6-plugin-exportuses
- npm @antv/x6-plugin-historyuses
- npm @antv/x6-plugin-keyboarduses
- npm @antv/x6-plugin-minimapuses
- npm @antv/x6-plugin-scrolleruses
- npm @antv/x6-plugin-selectionuses
- npm @antv/x6-plugin-snaplineuses
- npm @antv/x6-plugin-stenciluses
- npm @antv/x6-plugin-transformuses
- npm @antv/x6-reactuses
- npm @antv/x6-react-componentsuses
- npm @antv/x6-react-shapeuses
- npm @antv/x6-vectoruses
- npm @antv/x6-vue3-shapeuses
- npm @antv/x6-vue-shapeuses
- npm @antv/xflowuses
- npm @antv/xflow-coreuses
- npm @antv/xflow-diffuses
- npm @antv/xflow-extensionuses
- npm @antv/xflow-hookuses
- npm ast-pluginuses
- npm babel-plugin-versionuses
- npm boring-avatars-vanillauses
- npm byte-parseruses
- npm canvas-nest.jsuses
- npm echarts-for-reactuses
- npm filesize.jsuses
- npm fixed-rounduses
- npm gantt-for-reactuses
- npm jest-canvas-mockuses
- npm jest-date-mockuses
- npm jest-electronuses
- npm jest-expectuses
- npm jest-less-loaderuses
- npm jest-random-mockuses
- npm jest-url-loaderuses
- npm limit-sizeuses
- npm lint-mduses
- npm lint-md-cliuses
- npm @lint-md/cliuses
- npm @lint-md/coreuses
- npm @lint-md/parseruses
- npm mcp-echartsuses
- npm mcp-mermaiduses
- npm mizuses
- npm onfire.jsuses
- npm react-adsenseuses
- npm relationship.jsuses
- npm ribbon.jsuses
- npm size-sensoruses
- npm slice.jsuses
- npm timeago.jsuses
- npm timeago-reactuses
- npm uri-parseuses
- npm word-widthuses
- npm xmorseuses
- pypi durabletaskuses
- npm @cloudplatform-single-spa/billinguses
- npm faster-axiosuses
- npm turbo-axiosuses
- npm @redhat-cloud-services/patch-clientuses
- pypi gpt-pilotuses
Campaigns
- No Specific Campaignattributed-to
- Enterprise Dependency Confusionattributed-to
- eslint-config-prettier Compromiseattributed-to
- Bittensor Typosquat Campaignattributed-to
- qix npm Account Compromiseattributed-to
- Shai-Huludattributed-to
- TeamPCPattributed-to
- Strapi Plugin C2 Campaignattributed-to
- big.js Typosquat SSH Backdoorattributed-to
- tanvisoul9 npm Backdoorsattributed-to
- forge-jsx RATattributed-to
- Contagious Interviewattributed-to
- fucktestpad npm Malwareattributed-to
- Mini Shai-Huludattributed-to
- shetty123 Telegram Hijackattributed-to
- Claude Code Hook Backdoorsattributed-to
- oob-moika-tech-depconf-2026attributed-to
- Epsilon Axios Typosquat Campaignattributed-to
- Miasma: The Spreading Blightattributed-to
