Part of a coordinated multi-package supply-chain attack impersonating EMCD (emcd.io), a legitimate Russian cryptocurrency exchange and mining pool. The attacker registered the @emcd-vue npm scope to distribute multiple malicious packages posing as internal tooling under the "EMCD Platform Engineering" identity. This package was published on the same day as confirmed campaign packages @emcd-vue/auth and @emcd-vue/loans, which share C2 infrastructure at oob.moika.tech.

The package description ("Internal HTTP client with retry, auth injection and request tracing") is fabricated; the @emcd-vue scope has no affiliation with the real EMCD exchange (emcd.io). Campaign packages in this scope use a multi-stage postinstall dropper that downloads and executes a platform-specific payload from https://oob.moika.tech/payload/{platform} using a shared secret key, writes the payload to a hidden dot-file in the user's home directory, and beacons installation metadata to https://oob.moika.tech/report.