@loans/vehicles-apinpm

@loans/vehicles-api is a dependency-confusion package targeting an internal @loans npm scope (claimed homepage docs.loans.io, README directs users to a private registry npm.loans.io) but published to the public npm registry with a malicious scripts/postinstall.js. On npm install, the postinstall script (1) downloads a per-OS payload from https://oob.moika.tech/payload/{linux,mac,win}, writes it to os.tmpdir() as._loans_init.sh/.bat, chmods 0755, and spawns it via /bin/sh or cmd.exe with no hash/signature verification — unconditional install-time remote code execution; (2) enumerates process.env for credential-shaped keys (npm_token, npm_config_authtoken, node_auth_token, npm_config__auth, github_token, aws_access_key_id, aws_secret_access_key, aws_session_token, artifactory_token, nexus_token) and POSTs the values to https://oob.moika.tech/report; (3) reads ~/.npmrc, /etc/npmrc,./.npmrc, and../.npmrc (which commonly contain registry _authToken entries) and exfiltrates their contents; (4) collects host fingerprint (hostname, username, platform, arch, cwd, node/npm versions, full PATH, CI flags) and self-identifies in the JSON payload as poc: 'dependency-confusion-npm'. The destination domain oob.moika.tech does not match the claimed publisher (loans.io). Any installer whose internal resolver selects this public version is fully compromised at install time.

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.