npm: 16 Malicious @t-in-one/ Packages Published in Coordinated Drop — All Exfiltrate Secrets
On May 29, 2026, 16 malicious npm packages were disclosed in a single coordinated drop, all sharing the @t-in-one/ scope and all published just one day prior.
Key findings
- All 16 packages share the @t-in-one/ npm scope, registered on May 28, 2026
- Every package was disclosed in a single coordinated advisory push on May 29
- All packages execute post-install scripts that exfiltrate environment variables to oob.moika.tech
- Package names mimic internal middleware and token-handling modules to deceive developers
- Payloads were obfuscated using obfuscator.io to evade static analysis
- No single package achieved high downloads, but the campaign targets CI/CD credential theft
On May 29, 2026, security researchers disclosed 16 malicious npm packages published under the @t-in-one/ scope, all registered on the same day — May 28 — and all flagged in a single coordinated advisory push. The packages, which include names like @t-in-one/add_application, @t-in-one/prefill_credit_data_token, and @t-in-one/safe_local_storage_token, were designed to impersonate internal application middleware and token-handling utilities, likely to trick developers into installing them as legitimate organizational dependencies.
Campaign Signature
Every package in this burst shares the @t-in-one/ npm scope, and the individual package names follow a consistent pattern: they read like internal service or middleware module names. Examples include @t-in-one/add_app_middleware_token, @t-in-one/application_id_storage_key_token, @t-in-one/restore_application_hid_from_storage, @t-in-one/prefill_bundle_data_token, and @t-in-one/send_add_application. The naming convention — underscored, descriptive, referencing tokens, storage, and application IDs — suggests the threat actor aimed to blend into a corporate or monorepo-style dependency tree, hoping a developer would install the wrong scoped package while configuring a real service.
Malicious Behavior
OpenSSF Package Analysis flagged all 16 packages for suspicious post-install behavior. The packages execute code that communicates with an external host — oob.moika.tech — and exfiltrates environment variables, including sensitive tokens and secrets stored in process.env. The installation scripts also reference obfuscator.io, indicating the payload was JavaScript-obfuscated to evade static analysis. The behavioral profile is consistent across the entire set: each package, upon npm install, reaches out to the same C2 endpoint, collects environment variables, and transmits them to the remote server.
Severity and Impact
While none of the 16 packages achieved high download counts — each shows between 222 and 487 weekly downloads — the risk is not in their current reach but in their potential. The @t-in-one/ scope and the convincing naming scheme could easily deceive a developer integrating a real internal service. Any system where one of these packages was installed should be considered fully compromised. The malware had access to environment variables, which in CI/CD pipelines often contain API keys, registry tokens, and cloud provider credentials. An attacker with those credentials could pivot to downstream systems, including private package registries and production infrastructure.
Detection and Response
Developers and security teams should audit their package-lock.json and yarn.lock files for any package under the @t-in-one/ scope. The full list of malicious package names includes:
@t-in-one/add_app_middleware_token@t-in-one/add_application@t-in-one/add_application_service_token@t-in-one/add_application_tid@t-in-one/application_id_storage_key_token@t-in-one/form_product_token@t-in-one/get_application_hid@t-in-one/only_difference_payload@t-in-one/prefill_bundle_data_token@t-in-one/prefill_credit_data_token@t-in-one/prefill_transformers_data_token@t-in-one/restore_application_hid_from_storage@t-in-one/safe_local_storage_token@t-in-one/send_add_application
If any are found, rotate all secrets and credentials from a separate, trusted machine. Check npm token logs for any unauthorized publishes that may have used exfiltrated credentials. The C2 domain oob.moika.tech should be blocked at the network level.
Broader Context
This burst is the latest in a growing pattern of scoped-package typosquatting campaigns on npm. By registering under a scope that sounds like an internal organization (@t-in-one), the attacker bypasses the usual typosquatting detection that targets popular open-source packages. Instead, they prey on developers working in large codebases where internal scoped packages are common. The fact that all 16 packages were published on the same day and disclosed simultaneously suggests either automated tooling or a single coordinated takedown request. Either way, the supply-chain attack surface continues to expand beyond typosquats of well-known libraries into impersonation of internal infrastructure — a harder class of attack to detect with traditional scanning tools.