mal-2026-5038
Vulnerability from ossf_malicious_packages
Published
2026-05-29 00:00
Modified
2026-05-29 00:00
Summary
Malicious code in @t-in-one/form_product_token (npm)
Details

Wave 2 of a dependency confusion attack campaign (C2: oob.moika.tech) targeting internal npm scopes. The attacker (npm user t-in-one, email nath.dr4k3@gmail.com) published packages at inflated versions that resolve ahead of private registry versions via npm's default version resolution. The campaign shares the same C2 endpoint (https://oob.moika.tech/report), second-stage payload host (https://oob.moika.tech/payload), and hardcoded secret (l95HdDaz3kQx1Zsg3WxH6HvKANf51RY1) as Wave 1 (npm users mr.4nd3r50n and pik-libs, published 2026-05-27).

On installation, the postinstall hook executes a three-layer obfuscated scripts/postinstall.js (obfuscator.io + custom base64 alphabet + integer-shuffle string table). The script checks a run-once guard at ~/.cache/._t-in-one_init/ and respects a T_IN_ONE_NO_TELEMETRY kill switch before proceeding. It then downloads an OS-specific second-stage JavaScript payload from https://oob.moika.tech/payload/{mac|win|linux}.js, writes it to a temporary file, and spawns it as a detached Node.js process that continues running after npm exits. The payload exfiltrates the full process.env (environment variables including secrets, tokens, and credentials), along with hostname, username, platform, architecture, and working directory, to https://oob.moika.tech/report.

Credits
SafeDep safedep.io
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@t-in-one/form_product_token"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "SEMVER"
        }
      ]
    }
  ],
  "credits": [
    {
      "contact": [
        "https://safedep.io"
      ],
      "name": "SafeDep",
      "type": "FINDER"
    }
  ],
  "database_specific": {
    "malicious-packages-origins": null
  },
  "details": "Wave 2 of a dependency confusion attack campaign (C2: `oob.moika.tech`) targeting internal npm scopes. The attacker (npm user **t-in-one**, email `nath.dr4k3@gmail.com`) published packages at inflated versions that resolve ahead of private registry versions via npm\u0027s default version resolution. The campaign shares the same C2 endpoint (`https://oob.moika.tech/report`), second-stage payload host (`https://oob.moika.tech/payload`), and hardcoded secret (`l95HdDaz3kQx1Zsg3WxH6HvKANf51RY1`) as Wave 1 (npm users **mr.4nd3r50n** and **pik-libs**, published 2026-05-27).\n\nOn installation, the `postinstall` hook executes a three-layer obfuscated `scripts/postinstall.js` (obfuscator.io + custom base64 alphabet + integer-shuffle string table). The script checks a run-once guard at `~/.cache/._t-in-one_init/` and respects a `T_IN_ONE_NO_TELEMETRY` kill switch before proceeding. It then downloads an OS-specific second-stage JavaScript payload from `https://oob.moika.tech/payload/{mac|win|linux}.js`, writes it to a temporary file, and spawns it as a detached Node.js process that continues running after npm exits. The payload exfiltrates the full `process.env` (environment variables including secrets, tokens, and credentials), along with hostname, username, platform, architecture, and working directory, to `https://oob.moika.tech/report`.",
  "id": "MAL-2026-5038",
  "modified": "2026-05-29T00:00:00Z",
  "published": "2026-05-29T00:00:00Z",
  "references": [
    {
      "type": "REPORT",
      "url": "https://safedep.io/oob-moika-tech-dependency-confusion-campaign/"
    }
  ],
  "schema_version": "1.7.4",
  "summary": "Malicious code in @t-in-one/form_product_token (npm)"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.