VDB

GCVE-110-OSM-2026-5353

GCVE-110-OSM-2026-5353
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published June 1, 2026
Malicious npm package in the oob.moika.tech dependency-confusion campaign, published by account 'emcd-vue' impersonating EMCD cryptocurrency exchange internal modules. A postinstall hook exfiltrates the full environment (process.env credentials, tokens, secrets) and host metadata to https://oob.moika.tech/report and executes an OS-specific second-stage payload. Versions 6.4.8 and 6.4.9. Malicious payload found in: npm postinstall hook (install script) Persistence: ~/.emcd-vue_init.js (home-directory init script) C2 report endpoint: https://oob.moika.tech/report Second-stage payload URLs: https://oob.moika.tech/payload/{mac|win|linux}.js Auth header: X-Secret: l95HdDaz3kQx1Zsg3WxH6HvKANf51RY1 Obfuscation: WaCk/JScrambler multi-layer, 811-element string array Handshake: FUSION_ prefixed environment variables Behavior: Exfiltrates full process.env (credentials, tokens, secrets) and host metadata to the C2, then fetches and runs a detached OS-specific second-stage payload. Impersonates EMCD cryptocurrency exchange internal modules via dependency confusion (account 'emcd-vue', June 1 2026 wave).

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknown@emcd-vue/authall (affected)

References

vendor

Browse GCVE Records

72,921 records in the GCVE database · Updated July 15, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›