oob.moika.tech dependency-confusion campaign across nine npm scopes (mr.4nd3r50n / ce-rwb / t-in-one)
Between 2026-05-28 18:47 UTC and 2026-05-29 09:02 UTC a single operator using the npm aliases mr.4nd3r50n, ce-rwb, and t-in-one pushed dependency-confusion packages across nine corporate-looking scopes (@cloudplatform-single-spa, @t-in-one, @ce-rwb, @wb-track, @data-science, @payments-widget, @travel-autotests, @capibar.chat, @sber-ecom-core). Postinstall stagers exfiltrate process.env to oob.moika[.]tech with a shared X-Secret header.
- Detected by
- Microsoft Threat Intelligence · SafeDep
- Also known as
- mr.4nd3r50n campaign · oob.moika.tech · t-in-one
- Ecosystems
- npm
- Packages tracked
- 45
What happened
Microsoft Threat Intelligence published an analysis on 2026-05-29 of an active dependency-confusion campaign in which one operator — split across the three npm publisher aliases mr.4nd3r50n (mr.4nd3r50n@yandex[.]ru), ce-rwb (ogvanta@yandex[.]ru), and t-in-one (t-in-one@yandex[.]ru) — pushed malicious packages under nine corporate-looking npm scopes across two publishing bursts on 2026-05-28 and 2026-05-29. All packages share the same obfuscated scripts/postinstall.js stager, the same C2 (oob.moika[.]tech), and the same authentication marker (X-Secret: l95HdDaz3kQx1Zsg3WxH6HvKANf51RY1), confirming a single operator.
The mr.4nd3r50n account opened the campaign at 18:47–18:51 UTC on 2026-05-28 with 26 packages under @cloudplatform-single-spa, all stamped version 100.100.100 to win semver resolution against a real internal scope. Eleven minutes later, the ce-rwb account dropped 7 packages under @wb-track, @data-science, @ce-rwb, @payments-widget, and @travel-autotests at version 3.5.22. The next morning at 09:01:56–09:02:39 UTC, t-in-one published 10 @t-in-one packages in a 43-second automated burst at version 5.7.1, plus follow-ons under @capibar.chat/ui-kit (99.5.7) and @sber-ecom-core/sberpay-widget (99.5.8). Two of those scopes had a pre-staged 99.0.7 release on 2026-05-04, suggesting weeks of reconnaissance against a Russian-language fintech / chat-platform target before the live burst.
The execution chain is straightforward but well-designed for stealth: npm install triggers scripts/postinstall.js (a ~7–13 KB obfuscated stager), which performs an HTTPS GET to oob.moika[.]tech carrying the shared X-Secret header, writes an OS-specific second-stage payload (oob.moika[.]tech/payload/{win,mac,linux}) into tmpdir as ._<scope>_init.js, then spawns it as a detached child process with windowsHide=true. The payload is cached under ~/.cache/._<scope>_init/ for re-use and exfiltrates the runner's full process.env. A *_RECON_ONLY=1 flag is hard-coded in the current builds, meaning the operator is still in the reconnaissance phase — orgs that saw a callback to oob.moika[.]tech should treat that environment as enumerated and expect a targeted follow-on.
Microsoft's blog tracks 33 packages across the May 28–29 publishing bursts. SafeDep separately reported a larger 164-package wave on 2026-05-27 against @cloudplatform-single-spa, @mlspace, @car-loans, @fb-deposit, and @debit-ib at version 99.99.99, exfiltrating to the same oob.moika[.]tech/report endpoint — strong evidence that the same operator was active for at least 48 hours before Microsoft's disclosure. The SafeDep package-level inventory could not be re-verified at ingest time so only the Microsoft-confirmed 45 package versions are encoded below; treat the SafeDep scopes as additional hunting hints.
- Microsoft Defender detections:
Trojan:JS/ObfusNpmJs.SAandTrojan:JS/ObfusNpmJscover the obfuscated postinstall stager and on-disk recon payload. - The
mr.4nd3r50nalias was previously observed in April 2024 publishing what appeared to be benign bug-bounty dependency-confusion proofs; the same handle returning two years later with a production-quality C2 and a 33-package burst is itself notable tradecraft signal. - All Yandex.ru maintainer addresses, the spoofed
t-in-one[.]ioinfrastructure, and the SafeDep Russian-language scopes (@sber-ecom-core,@capibar.chat,@fb-deposit,@debit-ib) point at Russian-language targets, though Microsoft does not formally attribute.
Affected packages (45)
- npm
@capibar.chat/ui-kit99.0.799.5.7 - npm
@ce-rwb/ce-tools-editor-admin3.5.22 - npm
@ce-rwb/ce-tools-editor-core3.5.22 - npm
@ce-rwb/ce-tools-editor-render3.5.22 - npm
@cloudplatform-single-spa/administration100.100.100 - npm
@cloudplatform-single-spa/arenadata-db100.100.100 - npm
@cloudplatform-single-spa/base-static-page100.100.100 - npm
@cloudplatform-single-spa/business-solutions100.100.100 - npm
@cloudplatform-single-spa/cloud-dns100.100.100 - npm
@cloudplatform-single-spa/cnapp-ui100.100.100 - npm
@cloudplatform-single-spa/cp-api-gw100.100.100 - npm
@cloudplatform-single-spa/datagrid100.100.100 - npm
@cloudplatform-single-spa/dataplatform100.100.100 - npm
@cloudplatform-single-spa/dataplatform-metastore100.100.100 - npm
@cloudplatform-single-spa/dataplatform-trino100.100.100 - npm
@cloudplatform-single-spa/employees100.100.100 - npm
@cloudplatform-single-spa/enterprise100.100.100 - npm
@cloudplatform-single-spa/floating-ips100.100.100 - npm
@cloudplatform-single-spa/logaas100.100.100 - npm
@cloudplatform-single-spa/marketplace-gigachat100.100.100 - npm
@cloudplatform-single-spa/ml-ai-agents-agent100.100.100 - npm
@cloudplatform-single-spa/ml-ai-agents-agent-system100.100.100 - npm
@cloudplatform-single-spa/monitoring100.100.100 - npm
@cloudplatform-single-spa/security-groups100.100.100 - npm
@cloudplatform-single-spa/ssh-keys100.100.100 - npm
@cloudplatform-single-spa/support100.100.100 - npm
@cloudplatform-single-spa/svp-baas100.100.100 - npm
@cloudplatform-single-spa/svp-interfaces100.100.100 - npm
@cloudplatform-single-spa/svp-s3-storage100.100.100 - npm
@cloudplatform-single-spa/vpn100.100.100 - npm
@data-science/llm3.5.22 - npm
@payments-widget/payments-widget-sdk3.5.22 - npm
@sber-ecom-core/sberpay-widget99.0.799.5.8 - npm
@t-in-one/add_app_middleware_token5.7.1 - npm
@t-in-one/add_application5.7.1 - npm
@t-in-one/add_application_service_token5.7.1 - npm
@t-in-one/add_application_tid5.7.1 - npm
@t-in-one/application_id_storage_key_token5.7.1 - npm
@t-in-one/form_product_token5.7.1 - npm
@t-in-one/get_application_hid5.7.1 - npm
@t-in-one/only_difference_payload5.7.1 - npm
@t-in-one/prefill_bundle_data_token5.7.1 - npm
@t-in-one/prefill_credit_data_token5.7.1 - npm
@travel-autotests/npm-proto3.5.22 - npm
@wb-track/shared-front3.5.22
Impact
- Postinstall hook dumps full
process.envtohttps://oob.moika[.]tech/report— npm tokens, AWS/GCP/Azure keys, GitHub tokens, DB URLs all leak from any CI runner or dev workstation that installed a package - Stager downloads OS-specific second-stage payloads from
oob.moika[.]tech/payload/{win,mac,linux}and spawns them as detached background processes (windowsHide=true) - Hard-coded
*_RECON_ONLY=1flag means current payloads are reconnaissance-only — affected orgs should expect a follow-on intrusion attempt against any environment that pinged the C2 - Spoofed
package.jsonURLs reference real-looking internal GitHub Enterprise, Jira, and docs portals (e.g.npm.t-in-one[.]io,docs.t-in-one[.]io,jira.t-in-one[.]io) so reviewers skimming metadata see a plausible "internal package" - Two
@capibar.chat/@sber-ecom-corebuilds were pre-staged on 2026-05-04 as version99.0.7, indicating reconnaissance against a Russian-language fintech / chat-platform target for several weeks before the burst
What to do
- 1Audit every
package.json, lockfile, and CI cache for the scopes@cloudplatform-single-spa,@t-in-one,@ce-rwb,@wb-track,@data-science,@payments-widget,@travel-autotests,@capibar.chat,@sber-ecom-core— see the packages map below for the exact name set - 2Block outbound to
oob.moika[.]tech,npm.t-in-one[.]io,docs.t-in-one[.]io,jira.t-in-one[.]ioand hunt for HTTP requests carrying headerX-Secret: l95HdDaz3kQx1Zsg3WxH6HvKANf51RY1 - 3Rotate every secret that could have been in
process.envon any host that installed one of these packages: npm tokens, GitHub PATs, AWS/GCP/Azure keys, database URLs, signing keys - 4Enforce scope ownership for internal packages: register every internal
@scopeon the public npm registry (even with a stub) and pin private mirrors so the public version cannot be resolved - 5Run
npm ci --ignore-scripts(or pnpm / yarn equivalents) in CI for any build that does not need lifecycle scripts, and review newly-introduced postinstall scripts in PRs - 6Hunt for
~/.cache/._<scope>_init/,tmpdir/._<scope>_init.js, andT_IN_ONE_NO_TELEMETRYenvironment variables on developer endpoints — these are documented IoCs from Microsoft Defender