Wave 2 of a dependency confusion attack campaign (C2: oob.moika.tech) targeting internal npm scopes. The attacker (npm user t-in-one, email nath.dr4k3@gmail.com) published packages at inflated versions that resolve ahead of private registry versions via npm's default version resolution. The campaign shares the same C2 endpoint (https://oob.moika.tech/report), second-stage payload host (https://oob.moika.tech/payload), and hardcoded secret (l95HdDaz3kQx1Zsg3WxH6HvKANf51RY1) as Wave 1 (npm users mr.4nd3r50n and pik-libs, published 2026-05-27).

On installation, the postinstall hook executes a three-layer obfuscated scripts/postinstall.js (obfuscator.io + custom base64 alphabet + integer-shuffle string table). The script checks a run-once guard at ~/.cache/._t-in-one_init/ and respects a T_IN_ONE_NO_TELEMETRY kill switch before proceeding. It then downloads an OS-specific second-stage JavaScript payload from https://oob.moika.tech/payload/{mac|win|linux}.js, writes it to a temporary file, and spawns it as a detached Node.js process that continues running after npm exits. The payload exfiltrates the full process.env (environment variables including secrets, tokens, and credentials), along with hostname, username, platform, architecture, and working directory, to https://oob.moika.tech/report.

---

-= Per source details. Do not edit below this line.=-

Source: ghsa-malware (4d23eb6a006062bf9fb6b86da83ee8503f834cab8e2628d85762cc5ce01410ca)

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.