Malicious npm packages abuse dependency confusion to profile developer environments

Microsoft Threat Intelligence documents an active supply-chain campaign (May 28–29, 2026) in which an operator published dozens of malicious npm packages across nine organizational scopes using dependency confusion; each package runs an obfuscated postinstall stager that downloads a platform-specific reconnaissance payload from https://oob.moika.tech, collects environment and developer context (including credentials), and can be escalated from a RECON_ONLY mode to full exploitation; the report contains detailed attack-chain analysis, IOCs (maintainer aliases, X-Secret value, domains, package names, dropped filenames), attribution evidence, and comprehensive mitigation and hunting recommendations.