OSV Malicious Advisory
scanned 9d ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-5165 confirms this npm version as malicious. Part of a coordinated multi-package supply-chain attack impersonating EMCD (emcd.io), a legitimate Russian cryptocurrency exchange and mining pool. The attacker registered the `@emcd-vue` npm scope to distribute multiple malicious packages posing as internal tooling. This package was published 90 seconds after sibling package `@emcd-vue/auth` on 2026-06-01 by the same anonymous account (`emcd-vue@proton.me`).
Advisory
MAL-2026-5165
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in @emcd-vue/loans (npm)
Details
Part of a coordinated multi-package supply-chain attack impersonating EMCD (emcd.io), a legitimate Russian cryptocurrency exchange and mining pool. The attacker registered the `@emcd-vue` npm scope to distribute multiple malicious packages posing as internal tooling. This package was published 90 seconds after sibling package `@emcd-vue/auth` on 2026-06-01 by the same anonymous account (`emcd-vue@proton.me`).
Confirmed to use identical infrastructure and dropper logic as `@emcd-vue/auth`: downloads a platform-specific second-stage payload from `https://oob.moika.tech/payload/{platform}` using `X-Secret: l95HdDaz3kQx1Zsg3WxH6HvKANf51RY1`, writes it to `~/.emcd-vue_init.js` (dot-prefixed hidden file), and executes it as a detached, unref'd process that persists after npm exits. Beacons installation metadata to `https://oob.moika.tech/report` on completion.
---
## Source: amazon-inspector (7b5f346a554fe9f5f7cfc733c36d4c92c373aea12e245ef70e1031f41ff76f05) On `npm install`, the declared postinstall script `scripts/postinstall.js` executes a heavily obfuscated (obfuscator.io-style) bundle that collects host identifiers (hostname, username, homedir), the full `process.env` (with Windows-specific keys such as USERDOMAIN, COMPUTERNAME, APPDATA, LOCALAPPDATA, TEMP, PROGRAMDATA), the tail of shell history, and the contents of a hardcoded list of files under the user's home directory that the package itself never created. The collected object is transmitted to a remote endpoint over HTTP(S) and additionally over a covert DNS channel: the payload is base32-encoded into subdomain labels and issued as `dns.Resolver().resolveTxt(...)` queries in chunks, bypassing HTTP egress filters. Endpoint hostnames, header names, and API strings are reconstructed at runtime via a shuffled string array with RC4/XOR decoders. Before exfiltrating, the script checks `process.argv` and `NODE_OPTIONS` for debugger indicators and performs a timing check to detect sandboxes, skipping the exfil if analysis instrumentation is detected. The package also exhibits dependency-confusion shape: metadata references an internal-looking scope and registry (`@emcd-vue`, `npm.emcd-vue.io`, `github.emcd-vue.io`) while being published to the public npm registry, and `dist/index.js` re-exports a `../src/index.js` that is absent from the tarball, so the package has no functional library surface — the postinstall is its only executable code.
Decision reason
OpenSSF Malicious Packages via OSV confirms @emcd-vue/loans@7.1.8 as malicious (MAL-2026-5165): Malicious code in @emcd-vue/loans (npm)
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory