MAL-2026-5032

Wave 2 of a dependency confusion attack campaign (C2: `oob.moika.tech`) targeting internal npm scopes. The attacker (npm user **t-in-one**, email `nath.dr4k3@gmail.com`) published packages at inflated versions that resolve ahead of private registry versions via npm's default version resolution. The campaign shares the same C2 endpoint (`https://oob.moika.tech/report`), second-stage payload host (`https://oob.moika.tech/payload`), and hardcoded secret (`l95HdDaz3kQx1Zsg3WxH6HvKANf51RY1`) as Wave 1 (npm users **mr.4nd3r50n** and **pik-libs**, published 2026-05-27).

This package explicitly impersonates Sberbank's SberPay payment widget (`@sber-ecom-core/sberpay-widget`), confirming deliberate financial-sector targeting. Registry metadata shows it was pre-staged at version `99.0.7` on 2026-05-04, weeks before the Wave 2 burst on 2026-05-29.

On installation, the `postinstall` hook executes a three-layer obfuscated `scripts/postinstall.js` (obfuscator.io + custom base64 alphabet + integer-shuffle string table). The script checks a run-once guard at `~/.cache/._t-in-one_init/` and respects a `T_IN_ONE_NO_TELEMETRY` kill switch before proceeding. It then downloads an OS-specific second-stage JavaScript payload from `https://oob.moika.tech/payload/{mac|win|linux}.js`, writes it to a temporary file, and spawns it as a detached Node.js process that continues running after npm exits. The payload exfiltrates the full `process.env` (environment variables including secrets, tokens, and credentials), along with hostname, username, platform, architecture, and working directory, to `https://oob.moika.tech/report`.