33 Malicious npm Packages Abuse Dependency Confusion to Profile Developer Environments (oob.moika[.]tech C2) — Threadlinqs Intelligence
Threat ID: TL-2026-0633 · Severity: HIGH · Status: ACTIVE · Category: SUPPLY_CHAIN
Attribution: Unattributed single operator (aliases: mr.4nd3r50n / ce-rwb / t-in-one) · ESPIONAGE
Microsoft Threat Intelligence uncovered an active npm supply-chain campaign in which a single operator using three maintainer aliases (mr.4nd3r50n, ce-rwb, t-in-one) published 33 malicious packages on
On May 28-29, 2026, Microsoft Threat Intelligence identified and reported an active software supply-chain attack targeting the npm registry. A single threat operator, masquerading as three distinct maintainers (mr.4nd3r50n, ce-rwb, t-in-one), published 33 malicious packages spanning nine scoped namespaces engineered to impersonate real internal corporate registries — a textbook dependency-confusion attack. The targeted scopes (@cloudplatform-single-spa, @wb-track, @data-science, @ce-rwb, @payments-widget, @travel-autotests, @t-in-one, @capibar.chat, @sber-ecom-core) heavily mirror Russian technology and financial organizations (Sberbank ecom core, Wildberries tracking, GigaChat ML), and the packages were published with anomalously high version numbers (100.100.100, 99.0.7, 3.5.22) so that a misconfigured client resolving from the public registry pulls the attacker copy over a legitimately scoped internal package.
EXPLOIT/DELIVERY CHAIN: Each package declares a postinstall lifecycle hook (scripts/postinstall.js) that executes automatically the moment a victim runs npm install — no require() from victim code is needed. The ~7KB stager is heavily obfuscated using string-array encoding (URLs, function names, and env keys stored in a rotated array decoded at runtime via a custom Base64 variant), control-flow flattening through computed dispatch tables, and dead-code injection for anti-analysis noise. Execution proceeds through an eight-stage flow: (1) CI/CD detection-and-bypass — the stager checks the CI environment variable or scope-specific kill switches (e.g. CLOUDPLATFORM_SINGLE_SPA_NO_TELEMETRY, T_IN_ONE_NO_TELEMETRY) and silently aborts if set, evading monitored build pipelines; (2) Node.js version validation (>= 16.0); (3) cache-based deduplication — a hash key derived from package name, version, and project-root path is checked against ~/.cache/<scope>_init/, and execution exits if a non-expired marker exists, preventing re-runs that would raise the detection profile; (4) project-root detection by walking the directory tree for package.json, yarn.lock, or .git; (5) platform detection via os.platform(); (6) payload download via HTTPS GET to oob.moika[.]tech/payload/{win|mac|linux} with a 30-second timeout, carrying the hard-coded header X-Secret: l95HdDaz3kQx1Zsg3WxH6HvKANf51RY1; (7) payload drop to os.tmpdir() as a .js file (e.g. ._cloudplatform-single-spa_init.js); (8) detached execution via child process .unref() so the dropped recon payload outlives the npm install process.
RECON DROPPER: The downloaded ~17KB JavaScript dropper performs environment fingerprinting and credential reconnaissance, collecting system information, hostnames, environment variables, and developer context, then exfiltrates over the C2 channel. Behavior is gated by a server-toggleable RECON_ONLY flag passed via the spawned process environment; it is hard-coded to 1 in the current campaign, restricting activity to reconnaissance. The architecture explicitly supports a Full exploitation mode in which the operator flips the flag server-side, converting the established footholds into active exploitation against a pre-built inventory of high-value targets. This two-phase recon-then-exploit design minimizes detection risk during initial deployment while building target intelligence for selective compromise.
INFRASTRUCTURE & ATTRIBUTION: All 33 packages across all three maintainer accounts beacon to the single C2 oob.moika[.]tech, which resolves to 72.56.97.200 on AS210976 (Timeweb, LLP — a CIS-region hosting provider), and every outbound request carries the identical hard-coded X-Secret value l95HdDaz3kQx1Zsg3WxH6HvKANf51RY1. Microsoft assesses a single operator behind all three aliases based on: the shared secret and shared C2 across every account; an identical package-generation template across all accounts indicating one automated generator; matching publishing toolchains (Node.js 20.20.x / npm 10.8.2); and tight publishing-time clustering with a 1
Weaknesses (CWE)
CWE-1357, CWE-829, CWE-506, CWE-494
Target sectors: technology, financial, e-commerce, cloud, software-development, retail
Target regions: Russia, CIS, Eastern Europe, Global
Detections & IOCs
This threat has 9 detection rule(s) across Splunk SPL, Microsoft KQL and Sigma, and 30 indicator(s) of compromise. Detection query text and full IOC values are available to authenticated users and programmatically via the Threadlinqs MCP server (Purple tier). View plans.
SUPPLY_CHAIN, HIGH, threat intelligence, cybersecurity, T1583, T1583, T1585, T1608, T1587, T1195, T1059, T1204, T1546, T1027