@t-in-one/prefill_transformers_data_token

Details

Wave 2 of a dependency confusion attack campaign (C2: `oob.moika.tech`) targeting internal npm scopes. The attacker (npm user **t-in-one**, email `nath.dr4k3@gmail.com`) published packages at inflated versions that resolve ahead of private registry versions via npm's default version resolution. The campaign shares the same C2 endpoint (`https://oob.moika.tech/report`), second-stage payload host (`https://oob.moika.tech/payload`), and hardcoded secret (`l95HdDaz3kQx1Zsg3WxH6HvKANf51RY1`) as Wave 1 (npm users **mr.4nd3r50n** and **pik-libs**, published 2026-05-27).

On installation, the `postinstall` hook executes a three-layer obfuscated `scripts/postinstall.js` (obfuscator.io + custom base64 alphabet + integer-shuffle string table). The script checks a run-once guard at `~/.cache/._t-in-one_init/` and respects a `T_IN_ONE_NO_TELEMETRY` kill switch before proceeding. It then downloads an OS-specific second-stage JavaScript payload from `https://oob.moika.tech/payload/{mac|win|linux}.js`, writes it to a temporary file, and spawns it as a detached Node.js process that continues running after npm exits. The payload exfiltrates the full `process.env` (environment variables including secrets, tokens, and credentials), along with hostname, username, platform, architecture, and working directory, to `https://oob.moika.tech/report`.

---
_-= Per source details. Do not edit below this line.=-_

## Source: ghsa-malware (8341e1e22d843d52d421fc32531475700d90ce46e88ba8be87a7ad1f9d0a6f73)
Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.