Feed
HighPublished 28 May 2026Updated 29 May 202645 packages · 47 versions

oob.moika.tech dependency-confusion campaign across nine npm scopes (mr.4nd3r50n / ce-rwb / t-in-one)

Summary

Between 2026-05-28 18:47 UTC and 2026-05-29 09:02 UTC a single operator using the npm aliases mr.4nd3r50n, ce-rwb, and t-in-one pushed dependency-confusion packages across nine corporate-looking scopes (@cloudplatform-single-spa, @t-in-one, @ce-rwb, @wb-track, @data-science, @payments-widget, @travel-autotests, @capibar.chat, @sber-ecom-core). Postinstall stagers exfiltrate process.env to oob.moika[.]tech with a shared X-Secret header.

dependency-confusioncredential-theftobfuscationinfostealer
Detected by
Microsoft Threat Intelligence · SafeDep
Also known as
mr.4nd3r50n campaign · oob.moika.tech · t-in-one
Ecosystems
npm
Packages tracked
45

What happened

Microsoft Threat Intelligence published an analysis on 2026-05-29 of an active dependency-confusion campaign in which one operator — split across the three npm publisher aliases mr.4nd3r50n (mr.4nd3r50n@yandex[.]ru), ce-rwb (ogvanta@yandex[.]ru), and t-in-one (t-in-one@yandex[.]ru) — pushed malicious packages under nine corporate-looking npm scopes across two publishing bursts on 2026-05-28 and 2026-05-29. All packages share the same obfuscated scripts/postinstall.js stager, the same C2 (oob.moika[.]tech), and the same authentication marker (X-Secret: l95HdDaz3kQx1Zsg3WxH6HvKANf51RY1), confirming a single operator.

The mr.4nd3r50n account opened the campaign at 18:47–18:51 UTC on 2026-05-28 with 26 packages under @cloudplatform-single-spa, all stamped version 100.100.100 to win semver resolution against a real internal scope. Eleven minutes later, the ce-rwb account dropped 7 packages under @wb-track, @data-science, @ce-rwb, @payments-widget, and @travel-autotests at version 3.5.22. The next morning at 09:01:56–09:02:39 UTC, t-in-one published 10 @t-in-one packages in a 43-second automated burst at version 5.7.1, plus follow-ons under @capibar.chat/ui-kit (99.5.7) and @sber-ecom-core/sberpay-widget (99.5.8). Two of those scopes had a pre-staged 99.0.7 release on 2026-05-04, suggesting weeks of reconnaissance against a Russian-language fintech / chat-platform target before the live burst.

The execution chain is straightforward but well-designed for stealth: npm install triggers scripts/postinstall.js (a ~7–13 KB obfuscated stager), which performs an HTTPS GET to oob.moika[.]tech carrying the shared X-Secret header, writes an OS-specific second-stage payload (oob.moika[.]tech/payload/{win,mac,linux}) into tmpdir as ._<scope>_init.js, then spawns it as a detached child process with windowsHide=true. The payload is cached under ~/.cache/._<scope>_init/ for re-use and exfiltrates the runner's full process.env. A *_RECON_ONLY=1 flag is hard-coded in the current builds, meaning the operator is still in the reconnaissance phase — orgs that saw a callback to oob.moika[.]tech should treat that environment as enumerated and expect a targeted follow-on.

Microsoft's blog tracks 33 packages across the May 28–29 publishing bursts. SafeDep separately reported a larger 164-package wave on 2026-05-27 against @cloudplatform-single-spa, @mlspace, @car-loans, @fb-deposit, and @debit-ib at version 99.99.99, exfiltrating to the same oob.moika[.]tech/report endpoint — strong evidence that the same operator was active for at least 48 hours before Microsoft's disclosure. The SafeDep package-level inventory could not be re-verified at ingest time so only the Microsoft-confirmed 45 package versions are encoded below; treat the SafeDep scopes as additional hunting hints.

  • Microsoft Defender detections: Trojan:JS/ObfusNpmJs.SA and Trojan:JS/ObfusNpmJs cover the obfuscated postinstall stager and on-disk recon payload.
  • The mr.4nd3r50n alias was previously observed in April 2024 publishing what appeared to be benign bug-bounty dependency-confusion proofs; the same handle returning two years later with a production-quality C2 and a 33-package burst is itself notable tradecraft signal.
  • All Yandex.ru maintainer addresses, the spoofed t-in-one[.]io infrastructure, and the SafeDep Russian-language scopes (@sber-ecom-core, @capibar.chat, @fb-deposit, @debit-ib) point at Russian-language targets, though Microsoft does not formally attribute.

Affected packages (45)

  • npm@capibar.chat/ui-kit
    99.0.799.5.7
  • npm@ce-rwb/ce-tools-editor-admin
    3.5.22
  • npm@ce-rwb/ce-tools-editor-core
    3.5.22
  • npm@ce-rwb/ce-tools-editor-render
    3.5.22
  • npm@cloudplatform-single-spa/administration
    100.100.100
  • npm@cloudplatform-single-spa/arenadata-db
    100.100.100
  • npm@cloudplatform-single-spa/base-static-page
    100.100.100
  • npm@cloudplatform-single-spa/business-solutions
    100.100.100
  • npm@cloudplatform-single-spa/cloud-dns
    100.100.100
  • npm@cloudplatform-single-spa/cnapp-ui
    100.100.100
  • npm@cloudplatform-single-spa/cp-api-gw
    100.100.100
  • npm@cloudplatform-single-spa/datagrid
    100.100.100
  • npm@cloudplatform-single-spa/dataplatform
    100.100.100
  • npm@cloudplatform-single-spa/dataplatform-metastore
    100.100.100
  • npm@cloudplatform-single-spa/dataplatform-trino
    100.100.100
  • npm@cloudplatform-single-spa/employees
    100.100.100
  • npm@cloudplatform-single-spa/enterprise
    100.100.100
  • npm@cloudplatform-single-spa/floating-ips
    100.100.100
  • npm@cloudplatform-single-spa/logaas
    100.100.100
  • npm@cloudplatform-single-spa/marketplace-gigachat
    100.100.100
  • npm@cloudplatform-single-spa/ml-ai-agents-agent
    100.100.100
  • npm@cloudplatform-single-spa/ml-ai-agents-agent-system
    100.100.100
  • npm@cloudplatform-single-spa/monitoring
    100.100.100
  • npm@cloudplatform-single-spa/security-groups
    100.100.100
  • npm@cloudplatform-single-spa/ssh-keys
    100.100.100
  • npm@cloudplatform-single-spa/support
    100.100.100
  • npm@cloudplatform-single-spa/svp-baas
    100.100.100
  • npm@cloudplatform-single-spa/svp-interfaces
    100.100.100
  • npm@cloudplatform-single-spa/svp-s3-storage
    100.100.100
  • npm@cloudplatform-single-spa/vpn
    100.100.100
  • npm@data-science/llm
    3.5.22
  • npm@payments-widget/payments-widget-sdk
    3.5.22
  • npm@sber-ecom-core/sberpay-widget
    99.0.799.5.8
  • npm@t-in-one/add_app_middleware_token
    5.7.1
  • npm@t-in-one/add_application
    5.7.1
  • npm@t-in-one/add_application_service_token
    5.7.1
  • npm@t-in-one/add_application_tid
    5.7.1
  • npm@t-in-one/application_id_storage_key_token
    5.7.1
  • npm@t-in-one/form_product_token
    5.7.1
  • npm@t-in-one/get_application_hid
    5.7.1
  • npm@t-in-one/only_difference_payload
    5.7.1
  • npm@t-in-one/prefill_bundle_data_token
    5.7.1
  • npm@t-in-one/prefill_credit_data_token
    5.7.1
  • npm@travel-autotests/npm-proto
    3.5.22
  • npm@wb-track/shared-front
    3.5.22

Impact

  • Postinstall hook dumps full process.env to https://oob.moika[.]tech/report — npm tokens, AWS/GCP/Azure keys, GitHub tokens, DB URLs all leak from any CI runner or dev workstation that installed a package
  • Stager downloads OS-specific second-stage payloads from oob.moika[.]tech/payload/{win,mac,linux} and spawns them as detached background processes (windowsHide=true)
  • Hard-coded *_RECON_ONLY=1 flag means current payloads are reconnaissance-only — affected orgs should expect a follow-on intrusion attempt against any environment that pinged the C2
  • Spoofed package.json URLs reference real-looking internal GitHub Enterprise, Jira, and docs portals (e.g. npm.t-in-one[.]io, docs.t-in-one[.]io, jira.t-in-one[.]io) so reviewers skimming metadata see a plausible "internal package"
  • Two @capibar.chat / @sber-ecom-core builds were pre-staged on 2026-05-04 as version 99.0.7, indicating reconnaissance against a Russian-language fintech / chat-platform target for several weeks before the burst

What to do

  1. 1Audit every package.json, lockfile, and CI cache for the scopes @cloudplatform-single-spa, @t-in-one, @ce-rwb, @wb-track, @data-science, @payments-widget, @travel-autotests, @capibar.chat, @sber-ecom-core — see the packages map below for the exact name set
  2. 2Block outbound to oob.moika[.]tech, npm.t-in-one[.]io, docs.t-in-one[.]io, jira.t-in-one[.]io and hunt for HTTP requests carrying header X-Secret: l95HdDaz3kQx1Zsg3WxH6HvKANf51RY1
  3. 3Rotate every secret that could have been in process.env on any host that installed one of these packages: npm tokens, GitHub PATs, AWS/GCP/Azure keys, database URLs, signing keys
  4. 4Enforce scope ownership for internal packages: register every internal @scope on the public npm registry (even with a stub) and pin private mirrors so the public version cannot be resolved
  5. 5Run npm ci --ignore-scripts (or pnpm / yarn equivalents) in CI for any build that does not need lifecycle scripts, and review newly-introduced postinstall scripts in PRs
  6. 6Hunt for ~/.cache/._<scope>_init/, tmpdir/._<scope>_init.js, and T_IN_ONE_NO_TELEMETRY environment variables on developer endpoints — these are documented IoCs from Microsoft Defender

References

npm-2026-05-28-moika-dependency-confusion