40 Malicious npm Packages Dropped in Coordinated Instant Across Three Scopes, All Beaconing to Same C2

On May 28, 2026, security researchers disclosed 40 malicious npm packages that had been published in a single coordinated instant, spanning three distinct scopes: @car-loans, @cloudplatform-single-spa, and @mlspace. Every advisory carries the MAL- prefix, and all packages were published within the same minute — a hallmark of automated tooling and a single threat actor pushing a batch of typosquatting and brand-impersonation packages to the registry in one go. The Open Source Security Foundation (OSSF) Package Analysis system flagged every single package for identical malicious behavior: each executes a post-install script that communicates with the remote host oob.moika.tech and exfiltrates environment variables.

The three scopes each target a different industry vertical, casting a wide net. The @car-loans scope (13 packages) impersonates internal modules for an auto-financing platform, with names like @car-loans/general-feature-toggles, @car-loans/mobile-car-loans-application, and @car-loans/online-scoring-aff. The @cloudplatform-single-spa scope (20 packages) masquerades as infrastructure and platform-engineering components such as @cloudplatform-single-spa/bare-metal-servers, @cloudplatform-single-spa/opensearch, and @cloudplatform-single-spa/vmmanager. The @mlspace scope (3 packages) targets machine-learning workflows with @mlspace/env-jupyter-server, @mlspace/file-manager, and @mlspace/model-registry. Several packages in the @cloudplatform-single-spa and @mlspace scopes were first published just three days before the disclosure, confirming they were freshly registered for this campaign.

The malicious behavior is identical across all 40 packages. Each package executes a post-install script embedded in a postinstall.js file that runs automatically when the package is installed via npm, without any user interaction. The script connects to oob.moika.tech and exfiltrates process.env variables, which often contain API keys, database credentials, cloud tokens, and npm authentication tokens. The consistent C2 endpoint and uniform exfiltration logic across all three scopes strongly indicate a single operator behind the entire burst.

The severity of this campaign is critical. Any computer that has installed one of these packages — whether as a direct dependency or transitively through another package — should be considered fully compromised. Affected users must rotate every secret and credential stored on the compromised machine, and do so from a separate, trusted system. Developers should immediately audit their package-lock.json or yarn.lock for any package matching these scopes. The full list of malicious package names includes @car-loans/general-feature-toggles, @car-loans/mobile-car-loans-application, @car-loans/online-scoring-aff, @car-loans/referrer-module, @car-loans/safe-storage-module, @car-loans/save, @car-loans/application-aff, @car-loans/close-flow-module, @car-loans/deal, @car-loans/desktop-car-loans-application, @car-loans/feature-toggles-module, @car-loans/general-analytics, @car-loans/gus, @car-loans/restore, @car-loans/wait-task-props, @cloudplatform-single-spa/aifactory-notebooks, @cloudplatform-single-spa/bare-metal-servers, @cloudplatform-single-spa/dataplatform-cloudberry, @cloudplatform-single-spa/dataplatform-clusters, @cloudplatform-single-spa/dataplatform-nessie, @cloudplatform-single-spa/evocs, @cloudplatform-single-spa/ml-ai-agents-agent-system, @cloudplatform-single-spa/ml-ai-agents-trigger, @cloudplatform-single-spa/mlspace-access-request, @cloudplatform-single-spa/opensearch, @cloudplatform-single-spa/security-groups, @cloudplatform-single-spa/smk, @cloudplatform-single-spa/svp-agent-backup, @cloudplatform-single-spa/svp-bare-metal-servers, @cloudplatform-single-spa/svp-interfaces, @cloudplatform-single-spa/vmmanager, @cloudplatform-single-spa/clickhouse, @cloudplatform-single-spa/cloud-dns, @cloudplatform-single-spa/advanced, @cloudplatform-single-spa/agreements, @mlspace/env-jupyter-server, @mlspace/file-manager, and @mlspace/model-registry. If any of these appear in your dependency tree, treat the installation environment as compromised.

Coordinated multi-scope drops like this one are becoming an increasingly common pattern in the npm ecosystem. By targeting three unrelated verticals — auto-finance, cloud platform engineering, and machine learning — the attacker cast a wide net, hoping to catch developers who might typo a scope name or blindly install a package that sounds like an internal corporate module. The simultaneous publication of all 40 packages, the shared C2 infrastructure, and the uniform exfiltration logic point to a well-organized operation rather than a lone opportunist. While none of the packages had accumulated significant download counts at the time of disclosure, the campaign's structure suggests the attacker was prepared to let them sit and accumulate victims over time.

The attack relies entirely on typosquatting of internal module names — no single popular open-source package was compromised. This technique, known as dependency confusion or namespace squatting, exploits the trust developers place in package names that resemble their organization's internal modules. As npm's ecosystem continues to grow, coordinated bursts like this one highlight the need for automated security scanning and careful auditing of dependencies, especially when packages come from unfamiliar scopes.

A follow-up campaign on May 28, 2026, added 16 malicious packages under the single @t-in-one/ scope, all exfiltrating environment variables to the same C2 domain oob.moika.tech used in the earlier three-scope burst. The packages mimic internal middleware and token-handling module names to deceive developers in large codebases, and their post-install scripts use obfuscator.io for evasion. While each package only achieved 222–487 downloads, the coordinated disclosure on May 29 underscores that the threat actor behind oob.moika.tech is iterating on scope-impersonation tactics rather than relying on high volume.