npm: 40 Malicious Scoped Packages Targeting Cloud, Finance, and ML Platforms Disclosed in Synchronized Takedown
Key findings • A total of 40 malicious packages were simultaneously removed from the npm registry on May 28, 2026. • The attack targeted three distinct enterprise-themed scopes: @cloudplatfor…
Key findings
- A total of 40 malicious packages were simultaneously removed from the npm registry on May 28, 2026.
- The attack targeted three distinct enterprise-themed scopes: @cloudplatform-single-spa, @car-loans, and @mlspace.
- Malicious postinstall.js scripts harvested sensitive system data from process.env upon installation.
- Exfiltrated credentials and environment variables were sent to the out-of-band domain oob.moika.tech.
- Affected packages were active for four to six days before being flagged and purged.
On May 28, 2026, the npm registry underwent a synchronized cleanup as security teams disclosed and removed 40 highly coordinated malicious packages at the exact same instant. Unlike typical ad-hoc typosquatting campaigns that target popular open-source libraries with slight spelling variations, this campaign utilized structured, scoped packages designed to mimic internal enterprise dependencies. The simultaneous disclosure of all 40 advisories, anchored by MAL-2026-4877, points to a single, unified takedown of a sophisticated threat actor's infrastructure.
The malicious packages were organized under three distinct, highly targeted scopes: @cloudplatform-single-spa, @car-loans, and @mlspace. Within these scopes, the package names suggest a deliberate attempt to target cloud infrastructure, automotive financial services, and machine learning development environments. Representative examples include @cloudplatform-single-spa/ml-ai-agents-agent-system, @car-loans/desktop-car-loans-application, and @mlspace/env-jupyter-server. Registry data reveals that these packages were first published between four and six days prior to their discovery, indicating they were positioned to intercept internal developer builds or automated CI/CD pipelines before being swiftly flagged and purged.
Behavioral analysis of the packages reveals a classic data-harvesting mechanism. Upon installation, a postinstall.js script is executed automatically via Node.js. This script accesses the host system's environment variables through process.env, collecting sensitive configuration details, system paths, and authentication tokens. The gathered information is then exfiltrated to an out-of-band (OOB) server hosted at the domain oob.moika.tech. This behavior is highly indicative of a targeted reconnaissance or credential-harvesting campaign, aiming to compromise developer workstations and build servers.
The severity of this compromise cannot be overstated. Because the malicious code executes during the installation phase, any system that ran npm install on these packages must be treated as fully compromised. The exfiltration of environment variables means that any cloud credentials, API keys, database passwords, or npm registry tokens active in the environment at the time of installation are now in the hands of the attackers. Organizations must assume that their downstream infrastructure is at risk if any of these packages were successfully pulled into their environments.
To defend against this campaign, developers and security administrators must immediately audit their dependency trees and package-lock.json files for any references to the @cloudplatform-single-spa, @car-loans, or @mlspace scopes. If any matches are found, the packages must be removed immediately, and all credentials or secrets associated with the affected environments must be rotated from a clean, uncompromised machine. Additionally, organizations should implement strict scope-mapping policies in their internal package managers to prevent public registry fallbacks from resolving internal-only scoped packages.
This incident highlights the persistent threat of targeted dependency confusion and scope-impersonation attacks. By crafting packages that look like legitimate internal modules for cloud, financial, and AI platforms, threat actors exploit the trust developers place in scoped registries. As automated security scanning continues to improve, the window between publication and takedown is shrinking, but the potential blast radius of even a few days of exposure remains a critical concern for enterprise supply chain security.