OSV-MAL-2026-5165

Malicious code in @emcd-vue/loans (npm)

Part of a coordinated multi-package supply-chain attack impersonating EMCD (emcd.io), a legitimate Russian cryptocurrency exchange and mining pool. The attacker registered the `@emcd-vue` npm scope to distribute multiple malicious packages posing as internal tooling. This package was published 90 seconds after sibling package `@emcd-vue/auth` on 2026-06-01 by the same anonymous account (`emcd-vue@proton.me`). Confirmed to use identical infrastructure and dropper logic as `@emcd-vue/auth`: downloads a platform-specific second-stage payload from `https://oob.moika.tech/payload/{platform}` using `X-Secret: l95HdDaz3kQx1Zsg3WxH6HvKANf51RY1`, writes it to `~/.emcd-vue_init.js` (dot-prefixed hidden file), and executes it as a detached, unref'd process that persists after npm exits. Beacons installation metadata to `https://oob.moika.tech/report` on completion. --- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (febfe36bf4efb63283bdcac20e625459b8f63358c2e32921a747f29bb2d65917) The package ships a heavily obfuscated postinstall script (scripts/postinstall.js) that executes automatically on `npm install`. The file uses hex-mangled identifier names (_0x2556a0, _0x3929dc, _0x2f9082, etc.) consistent with string-array obfuscators commonly used to hide network exfiltration, credential harvesting, or remote payload execution. Obfuscation in a lifecycle hook is not a legitimate engineering practice — install-time scripts in legitimate packages are readable shell or plain JS. The package name (@emcd-vue/loans) advertises a Vue.js loans component, which has no plausible reason to require obfuscated postinstall logic. Installing this package will run the obfuscated code automatically with the privileges of the developer or build system performing `npm install`.