{"id":"MAL-2026-5164","summary":"Malicious code in @emcd-vue/b2b-pay-form (npm)","details":"Part of a coordinated multi-package supply-chain attack impersonating EMCD (emcd.io), a legitimate Russian cryptocurrency exchange and mining pool. The attacker registered the `@emcd-vue` npm scope to distribute multiple malicious packages posing as internal tooling under the \"EMCD Platform Engineering\" identity. This package was published on the same day as confirmed campaign packages `@emcd-vue/auth` and `@emcd-vue/loans`, which share C2 infrastructure at `oob.moika.tech`.\n\nThe package description (\"Internal HTTP client with retry, auth injection and request tracing\") is fabricated; the `@emcd-vue` scope has no affiliation with the real EMCD exchange (`emcd.io`). Campaign packages in this scope use a multi-stage postinstall dropper that downloads and executes a platform-specific payload from `https://oob.moika.tech/payload/{platform}` using a shared secret key, writes the payload to a hidden dot-file in the user's home directory, and beacons installation metadata to `https://oob.moika.tech/report`.","modified":"2026-06-02T12:31:38.252971018Z","published":"2026-06-01T07:00:00Z","database_specific":{"malicious-packages-origins":null},"references":[{"type":"REPORT","url":"https://safedep.io/oob-moika-tech-dependency-confusion-campaign/"}],"affected":[{"package":{"name":"@emcd-vue/b2b-pay-form","ecosystem":"npm","purl":"pkg:npm/%40emcd-vue%2Fb2b-pay-form"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@emcd-vue/b2b-pay-form/MAL-2026-5164.json"}}],"schema_version":"1.7.5","credits":[{"name":"SafeDep","contact":["https://safedep.io"],"type":"FINDER"}]}