Part of a coordinated multi-package supply-chain attack impersonating EMCD (emcd.io), a legitimate Russian cryptocurrency exchange and mining pool. The attacker registered the @emcd-vue npm scope to distribute multiple malicious packages posing as internal tooling. This package was published 90 seconds after sibling package @emcd-vue/auth on 2026-06-01 by the same anonymous account (emcd-vue@proton.me).

Confirmed to use identical infrastructure and dropper logic as @emcd-vue/auth: downloads a platform-specific second-stage payload from https://oob.moika.tech/payload/{platform} using X-Secret: l95HdDaz3kQx1Zsg3WxH6HvKANf51RY1, writes it to ~/.emcd-vue_init.js (dot-prefixed hidden file), and executes it as a detached, unref'd process that persists after npm exits. Beacons installation metadata to https://oob.moika.tech/report on completion.