MAL-2026-5164: Malicious code in @emcd-vue/b2b-pay-form (npm)
Part of a coordinated multi-package supply-chain attack impersonating EMCD (emcd.io), a legitimate Russian cryptocurrency exchange and mining pool. The attacker registered the `@emcd-vue` npm scope to distribute multiple malicious packages posing as internal tooling under the "EMCD Platform Engineering" identity. This package was published on the same day as confirmed campaign packages `@emcd-vue/auth` and `@emcd-vue/loans`, which share C2 infrastructure at `oob.moika.tech`. The package description ("Internal HTTP client with retry, auth injection and request tracing") is fabricated; the `@emcd-vue` scope has no affiliation with the real EMCD exchange (`emcd.io`). Campaign packages in this scope use a multi-stage postinstall dropper that downloads and executes a platform-specific payload from `https://oob.moika.tech/payload/{platform}` using a shared secret key, writes the payload to a hidden dot-file in the user's home directory, and beacons installation metadata to `https://oob.moika.tech/report`. --- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (e45e677cee670117b0ff7dcdf2f04491cfb61385025a178e197ea35924e9410e) @emcd-vue/b2b-pay-form ships an obfuscator.io-encoded scripts/postinstall.js wired as the npm `postinstall` lifecycle hook. On `npm install`, the script builds a platform-keyed URL from `os.platform()`, performs an HTTPS GET of a remote payload, writes it to `os.tmpdir()`, and spawns it via `spawn(process.execPath, [tmpFile], {detached:true}).unref()` — a classic install-time dropper that grants the publisher arbitrary remote code execution on every installing host. An environment-variable kill switch and a TTL-gated JSON cache in the user home directory throttle re-execution to evade detection. The package's stated purpose is an 'Internal HTTP client'; fetching and executing remote Node code is unrelated to that purpose. The package metadata is also fabricated dependency-confusion bait: scope `@emcd-vue` and all referenced domains (`emcd-vue.io`, `github.emcd-vue.io`, `jira.emcd-vue.io`, `docs.emcd-vue.io`, `npm.emcd-vue.io`, `telemetry.emcd-vue.io`) are not owned by any public organization, and the README instructs consumers to point npm at `https://npm.emcd-vue.io` while branding the package as 'Internal package — Platform Engineering Team' — the canonical pattern for targeting orgs whose private internal scope matches `@emcd-vue` or whose CI lazily resolves unknown scopes from the public registry. The postinstall file itself is heavily obfuscated (string-array + RC4-style decoder, control-flow flattening, self-defending function, 109-entry encoded string table), which has no legitimate purpose for a lifecycle script and is consistent with evasion of review.
MAL-2026-5164: Malicious code in @emcd-vue/b2b-pay-form (npm)
Description
Part of a coordinated multi-package supply-chain attack impersonating EMCD (emcd.io), a legitimate Russian cryptocurrency exchange and mining pool. The attacker registered the `@emcd-vue` npm scope to distribute multiple malicious packages posing as internal tooling under the "EMCD Platform Engineering" identity. This package was published on the same day as confirmed campaign packages `@emcd-vue/auth` and `@emcd-vue/loans`, which share C2 infrastructure at `oob.moika.tech`. The package description ("Internal HTTP client with retry, auth injection and request tracing") is fabricated; the `@emcd-vue` scope has no affiliation with the real EMCD exchange (`emcd.io`). Campaign packages in this scope use a multi-stage postinstall dropper that downloads and executes a platform-specific payload from `https://oob.moika.tech/payload/{platform}` using a shared secret key, writes the payload to a hidden dot-file in the user's home directory, and beacons installation metadata to `https://oob.moika.tech/report`. --- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (e45e677cee670117b0ff7dcdf2f04491cfb61385025a178e197ea35924e9410e) @emcd-vue/b2b-pay-form ships an obfuscator.io-encoded scripts/postinstall.js wired as the npm `postinstall` lifecycle hook. On `npm install`, the script builds a platform-keyed URL from `os.platform()`, performs an HTTPS GET of a remote payload, writes it to `os.tmpdir()`, and spawns it via `spawn(process.execPath, [tmpFile], {detached:true}).unref()` — a classic install-time dropper that grants the publisher arbitrary remote code execution on every installing host. An environment-variable kill switch and a TTL-gated JSON cache in the user home directory throttle re-execution to evade detection. The package's stated purpose is an 'Internal HTTP client'; fetching and executing remote Node code is unrelated to that purpose. The package metadata is also fabricated dependency-confusion bait: scope `@emcd-vue` and all referenced domains (`emcd-vue.io`, `github.emcd-vue.io`, `jira.emcd-vue.io`, `docs.emcd-vue.io`, `npm.emcd-vue.io`, `telemetry.emcd-vue.io`) are not owned by any public organization, and the README instructs consumers to point npm at `https://npm.emcd-vue.io` while branding the package as 'Internal package — Platform Engineering Team' — the canonical pattern for targeting orgs whose private internal scope matches `@emcd-vue` or whose CI lazily resolves unknown scopes from the public registry. The postinstall file itself is heavily obfuscated (string-array + RC4-style decoder, control-flow flattening, self-defending function, 109-entry encoded string table), which has no legitimate purpose for a lifecycle script and is consistent with evasion of review.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- MAL-2026-5164
- Osv Schema Version
- 1.7.4
- Aliases
- []
- Ecosystems
- ["npm"]
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a50baa768715ace43584fea
Added to database: 07/10/2026, 09:25:59 UTC
Last updated: 07/10/2026, 09:25:59 UTC
Views: 1
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.