VDB
GCVE-110-OSM-2026-5353
GCVE-110-OSM-2026-5353
Advisory PublishedCVSS 9.6/10
Malicious npm package in the oob.moika.tech dependency-confusion campaign, published by account 'emcd-vue' impersonating EMCD cryptocurrency exchange internal modules. A postinstall hook exfiltrates the full environment (process.env credentials, tokens, secrets) and host metadata to https://oob.moika.tech/report and executes an OS-specific second-stage payload. Versions 6.4.8 and 6.4.9.
Malicious payload found in: npm postinstall hook (install script)
Persistence: ~/.emcd-vue_init.js (home-directory init script)
C2 report endpoint: https://oob.moika.tech/report
Second-stage payload URLs: https://oob.moika.tech/payload/{mac|win|linux}.js
Auth header: X-Secret: l95HdDaz3kQx1Zsg3WxH6HvKANf51RY1
Obfuscation: WaCk/JScrambler multi-layer, 811-element string array
Handshake: FUSION_ prefixed environment variables
Behavior: Exfiltrates full process.env (credentials, tokens, secrets) and host metadata to the C2, then fetches and runs a detached OS-specific second-stage payload. Impersonates EMCD cryptocurrency exchange internal modules via dependency confusion (account 'emcd-vue', June 1 2026 wave).
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | @emcd-vue/auth | all (affected) | — |
Browse GCVE Records
72,921 records in the GCVE database · Updated July 15, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.