npm: 40 Malicious Packages Across Three Scopes Dropped in Coordinated Instant

Key findings

40 malicious npm packages disclosed in the same instant across three scopes
All packages share the same C2 host: oob.moika.tech
Post-install scripts exfiltrate process.env variables on every installation
Scopes target auto-finance (@car-loans), cloud infra (@cloudplatform-single-spa), and ML (@mlspace)
Packages in @cloudplatform-single-spa and @mlspace were registered just 3 days before disclosure
No single popular package was compromised — the attack relies on typosquatting internal module names

On 2026-05-28, 40 malicious npm packages were disclosed simultaneously in a tightly coordinated drop spanning three distinct npm scopes: @car-loans, @cloudplatform-single-spa, and @mlspace. Every advisory carries the MAL- prefix, and every package was published within the same minute — a hallmark of automated tooling and a single threat actor pushing a batch of typosquatting and brand-impersonation packages to the registry in one go.

The three scopes each target a different industry vertical. The @car-loans scope (13 packages) impersonates internal modules for an auto-financing platform, with names like @car-loans/general-feature-toggles, @car-loans/mobile-car-loans-application, @car-loans/online-scoring-aff, and @car-loans/referrer-module. The @cloudplatform-single-spa scope (20 packages) masquerades as infrastructure and platform-engineering components — @cloudplatform-single-spa/bare-metal-servers, @cloudplatform-single-spa/opensearch, @cloudplatform-single-spa/security-groups, @cloudplatform-single-spa/vmmanager, and @cloudplatform-single-spa/clickhouse among them. The @mlspace scope (3 packages) targets machine-learning workflows with @mlspace/env-jupyter-server, @mlspace/file-manager, and @mlspace/model-registry. Several packages in the @cloudplatform-single-spa and @mlspace scopes were first published just three days before the disclosure, on 2026-05-28 itself, confirming they were freshly registered for this campaign.

Open Source Security Foundation (OSSF) Package Analysis flagged all 40 packages for identical malicious behavior: each package executes a post-install script that communicates with the remote host oob.moika.tech and exfiltrates environment variables, including process.env. The script is embedded in a postinstall.js file that runs automatically when the package is installed via npm. The consistent C2 endpoint and identical exfiltration logic across all three scopes strongly indicate a single operator behind the entire burst.

The severity of this campaign is critical. Any computer that has installed one of these packages — whether as a direct dependency or transitively — should be considered fully compromised. The post-install script fires without user interaction, sending environment variables (which often contain API keys, database credentials, cloud tokens, and npm authentication tokens) to the attacker-controlled domain. Affected users must rotate every secret and credential stored on the compromised machine, and do so from a separate, trusted system.

Developers should immediately audit their package-lock.json or yarn.lock for any package matching these scopes. The full list of malicious package names includes:

@car-loans/general-feature-toggles
@car-loans/mobile-car-loans-application
@car-loans/online-scoring-aff
@car-loans/referrer-module
@car-loans/safe-storage-module
@car-loans/save
@car-loans/applicaion-aff
@car-loans/application-aff
@car-loans/close-flow-module
@car-loans/deal
@car-loans/desktop-car-loans-application
@car-loans/feature-toggles-module
@car-loans/general-analytics
@car-loans/gus
@car-loans/restore
@car-loans/wait-task-props
@cloudplatform-single-spa/aifactory-notebooks
@cloudplatform-single-spa/bare-metal-servers
@cloudplatform-single-spa/dataplatform-cloudberry
@cloudplatform-single-spa/dataplatform-clusters
@cloudplatform-single-spa/dataplatform-nessie
@cloudplatform-single-spa/evocs
@cloudplatform-single-spa/ml-ai-agents-agent-system
@cloudplatform-single-spa/ml-ai-agents-trigger
@cloudplatform-single-spa/mlspace-access-request
@cloudplatform-single-spa/opensearch
@cloudplatform-single-spa/security-groups
@cloudplatform-single-spa/smk
@cloudplatform-single-spa/svp-agent-backup
@cloudplatform-single-spa/svp-bare-metal-servers
@cloudplatform-single-spa/svp-interfaces
@cloudplatform-single-spa/vmmanager
@cloudplatform-single-spa/clickhouse
@cloudplatform-single-spa/cloud-dns
@cloudplatform-single-spa/advanced
@cloudplatform-single-spa/agreements
@mlspace/env-jupyter-server
@mlspace/file-manager
@mlspace/model-registry

If any of these appear in your dependency tree, treat the installation environment as compromised. Check npm token logs for unauthorized publishes and rotate all credentials immediately.

Coordinated multi-scope drops like this one are becoming an increasingly common pattern in the npm ecosystem. By targeting three unrelated verticals — auto-finance, cloud platform engineering, and machine learning — the attacker cast a wide net, hoping to catch developers who might typo a scope name or blindly install a package that sounds like an internal corporate module. The simultaneous publication of all 40 packages, the shared C2 infrastructure, and the uniform exfiltration logic point to a well-organized operation rather than a lone opportunist. While none of the packages had accumulated significant download counts at the time of disclosure, the campaign's structure suggests the attacker was prepared to let them sit and accumulate victims over time.