Part of a coordinated multi-package supply-chain attack impersonating EMCD (emcd.io), a legitimate Russian cryptocurrency exchange and mining pool. The attacker registered the @emcd-vue npm scope to pose as an internal Vue.js front-end tooling package from "EMCD Platform Engineering." The package contains no functional library code — the entire package is a delivery vehicle for a multi-stage dropper embedded in a 137.5 KB single-line obfuscated postinstall hook (JScrambler/WaCk-style; 811-element encoded string array).

Trigger: scripts.postinstall → scripts/postinstall.js

Execution flow:

• Checks EMCD_VUE_NO_TELEMETRY env var as a kill-switch (README misleadingly documents a different, non-functional kill-switch name)
• Computes a per-host/project dedup key to execute only once
• Detects platform (linux-x64, darwin-arm64, win)
• Downloads platform-specific second-stage: GET https://oob.moika.tech/payload/{platform} with X-Secret: l95HdDaz3kQx1Zsg3WxH6HvKANf51RY1
• Writes payload to ~/.emcd-vue_init.js (dot-prefixed hidden file)
• Spawns payload as a detached, unref'd process — persists after npm exits
• Beacons installation metadata to https://oob.moika.tech/report