npm: Coordinated Campaign Drops 40 Malicious Packages Under '@cloudplatform-single-spa' and '@car-loans' Scopes
A coordinated campaign on npm has been uncovered following the simultaneous disclosure of 40 malicious packages targeting the '@cloudplatform-single-spa' and '@car-loans' scopes on May 28, 2026.
Key findings
- A coordinated drop of 40 malicious npm packages was simultaneously disclosed and removed on May 28, 2026.
- The campaign targeted two specific scopes: '@cloudplatform-single-spa' and '@car-loans'.
- Malicious post-install scripts exfiltrated environment variables to the external domain oob.moika.tech.
- The packages mimicked micro-frontend utilities and automotive financial applications to target enterprise environments.
- Affected systems must be treated as fully compromised, requiring immediate credential and secret rotation.
On May 28, 2026, a coordinated batch of 40 malicious packages was disclosed and removed from the npm registry at the exact same instant. The packages were organized under two distinct, highly targeted scopes: @cloudplatform-single-spa and @car-loans. These packages were registered just days before their disclosure, indicating a rapid-fire, automated campaign designed to mimic internal enterprise micro-frontend utilities and financial applications.\n\nThe vast majority of the packages (34 out of 40) utilized the @cloudplatform-single-spa scope, mimicking components of the popular single-spa micro-frontend framework tailored for cloud platforms. Examples include @cloudplatform-single-spa/notification-gateway, @cloudplatform-single-spa/security-groups, and @cloudplatform-single-spa/ml-ai-agents-mcp-server. A smaller subset of 6 packages targeted the @car-loans scope, including @car-loans/deal, @car-loans/desktop-car-loans-application, and @car-loans/online-scoring-aff. This naming convention strongly suggests dependency confusion or highly targeted typosquatting aimed at specific corporate development environments.\n\nAnalysis of the packages revealed execution of commands during installation via postinstall.js. The scripts attempted to exfiltrate system metadata and environment variables (process.env) to an out-of-band destination, specifically communicating with the external domain oob.moika.tech. This behavior is characteristic of reconnaissance-phase malware designed to map out internal network topologies and harvest credentials. While many of these packages maintained low download numbers—ranging from 300 to 700 weekly downloads prior to removal—their post-install scripts contained active malicious payloads.\n\nThe threat posed by these packages is severe. Any development environment or build pipeline that pulled these dependencies must be treated as fully compromised. Because the malware executes automatically upon installation via Node.js post-install hooks, developers do not even need to import the modules into their application code to trigger the payload. Security teams are urged to immediately rotate all secrets, API keys, and npm publishing tokens that were exposed on affected machines.\n\nOrganizations using single-spa or automotive finance modules should audit their dependency trees and package-lock.json files for any references to these scopes. Specifically, look for packages like @cloudplatform-single-spa/ml-rag, @cloudplatform-single-spa/datagrid, and @car-loans/online-sign-aff. If any of these packages are found, they should be removed immediately, and the affected build environments should be isolated and rebuilt from clean images.\n\nThis burst highlights the persistent threat of scoped package abuse on npm. By leveraging legitimate-sounding scopes like @cloudplatform-single-spa, attackers exploit the trust developers place in scoped registries, which are often assumed to be private or verified. The automated nature of this campaign, where 40 packages were published and subsequently flagged in a single coordinated sweep, underscores the need for continuous, real-time monitoring of registry activity.