VDB
KO

MAL-2026-5164

Malicious code in @emcd-vue/b2b-pay-form (npm)

Details

Part of a coordinated multi-package supply-chain attack impersonating EMCD (emcd.io), a legitimate Russian cryptocurrency exchange and mining pool. The attacker registered the `@emcd-vue` npm scope to distribute multiple malicious packages posing as internal tooling under the "EMCD Platform Engineering" identity. This package was published on the same day as confirmed campaign packages `@emcd-vue/auth` and `@emcd-vue/loans`, which share C2 infrastructure at `oob.moika.tech`.

The package description ("Internal HTTP client with retry, auth injection and request tracing") is fabricated; the `@emcd-vue` scope has no affiliation with the real EMCD exchange (`emcd.io`). Campaign packages in this scope use a multi-stage postinstall dropper that downloads and executes a platform-specific payload from `https://oob.moika.tech/payload/{platform}` using a shared secret key, writes the payload to a hidden dot-file in the user's home directory, and beacons installation metadata to `https://oob.moika.tech/report`.

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (e45e677cee670117b0ff7dcdf2f04491cfb61385025a178e197ea35924e9410e) @emcd-vue/b2b-pay-form ships an obfuscator.io-encoded scripts/postinstall.js wired as the npm `postinstall` lifecycle hook. On `npm install`, the script builds a platform-keyed URL from `os.platform()`, performs an HTTPS GET of a remote payload, writes it to `os.tmpdir()`, and spawns it via `spawn(process.execPath, [tmpFile], {detached:true}).unref()` — a classic install-time dropper that grants the publisher arbitrary remote code execution on every installing host. An environment-variable kill switch and a TTL-gated JSON cache in the user home directory throttle re-execution to evade detection. The package's stated purpose is an 'Internal HTTP client'; fetching and executing remote Node code is unrelated to that purpose. The package metadata is also fabricated dependency-confusion bait: scope `@emcd-vue` and all referenced domains (`emcd-vue.io`, `github.emcd-vue.io`, `jira.emcd-vue.io`, `docs.emcd-vue.io`, `npm.emcd-vue.io`, `telemetry.emcd-vue.io`) are not owned by any public organization, and the README instructs consumers to point npm at `https://npm.emcd-vue.io` while branding the package as 'Internal package — Platform Engineering Team' — the canonical pattern for targeting orgs whose private internal scope matches `@emcd-vue` or whose CI lazily resolves unknown scopes from the public registry. The postinstall file itself is heavily obfuscated (string-array + RC4-style decoder, control-flow flattening, self-defending function, 109-entry encoded string table), which has no legitimate purpose for a lifecycle script and is consistent with evasion of review.

## Source: ghsa-malware (d90cd206861b8a82dbbf2519456e475cb2aae36d33267bfb0b6a512cf51366e4) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / @emcd-vue/b2b-pay-form
Introduced in: 0

No fixed version published yet for @emcd-vue/b2b-pay-form (npm). Pin to a known-safe version or switch to an alternative.

References