VDB
GCVE-110-OSM-2026-5062
GCVE-110-OSM-2026-5062
Advisory PublishedCVSS 9.6/10
Malicious npm package in the oob.moika.tech dependency-confusion campaign, published by account 'mr.4nd3r50n' impersonating a cloud platform provider's internal micro-frontend modules. A postinstall hook exfiltrates the full environment (process.env credentials, tokens, secrets) and host metadata to https://oob.moika.tech/report and runs a detached OS-specific second-stage payload.
Malicious payload found in: package.json (postinstall hook) -> scripts/postinstall.js
Hardcoded campaign constants:
CALLBACK_URL = https://oob.moika.tech/report
PAYLOAD_BASE = https://oob.moika.tech/payload
SECRET (X-Secret header) = l95HdDaz3kQx1Zsg3WxH6HvKANf51RY1
Behavior: postinstall sleeps 3s (sandbox evasion), detects OS, downloads second stage https://oob.moika.tech/payload/{mac|win|linux}.js to OS temp dir, spawns it detached (survives npm install exit), then POSTs full process.env + hostname, username, platform, architecture, cwd and Node version to https://oob.moika.tech/report with X-Secret header. Fallback beacon sends system data directly if second-stage download fails. Exfiltrates any credentials in env: NPM_TOKEN, AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, GITHUB_TOKEN, database URLs.
Temp/marker artifacts: ._cloudplatform-single-spa_init.js, ._t-in-one_init.js, ~/.cache/._t-in-one_init/
Social engineering: README frames exfil as 'anonymous telemetry' with fake opt-out env vars and fabricated internal docs/registry URLs (docs.<target>.io, jira.<target>.io, npm.<target>.io).
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | @cloudplatform-single-spa/dataplatform-nessie | all (affected) | — |
Browse GCVE Records
71,925 records in the GCVE database · Updated July 13, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.