@blamejs/exceptd-skills 0.15.50 → 0.15.52

package/data/cve-catalog.json

@@ -55,12 +55,13 @@
     "ai_discovery_methodology": {
       "field_added": "2026-05-15",
       "agents_md_target": "Hard Rule #7 — '41% of 2025 zero-days were AI-discovered'. Catalog target rate floor: 0.40.",
-      "current_rate": 0.028,
-      "current_floor_enforced_by_test": 0.028,
+      "current_rate": 0.0279,
+      "current_floor_enforced_by_test": 0.027,
       "ladder_to_target": [
+        0.027,
         0.028,
         0.029,
-    0.03,
+        0.03,
         0.05,
         0.1,
         0.15,
@@ -68,7 +69,7 @@
         0.3,
         0.4
       ],
-      "floor_correction_note": "v0.13.4: floor dropped from 0.15 → 0.13 after the v0.13.4 cleanup removed two stuck-draft CVEs (MAL-2026-ANTHROPIC-MCP-STDIO duplicate of CVE-2026-30623 + CVE-2026-GTIG-AI-2FA embargoed placeholder). The GTIG entry was the only ai_discovered=true of the two; catalog observed rate fell from 6/40 (0.15) to 5/38 (0.132). Floor is reset below the new observed rate to keep the test honest, and a new 0.13 rung is prepended to the ladder so monotonic non-decreasing is preserved without rewriting prior rungs. Prior correction note: v0.12.31 floor dropped 0.20 → 0.15 after the cycle-11 intake added six ai_discovered=false entries. v0.13.17: catalog grew 68 -> 72 with 4 non-AI Nightmare-Eclipse entries; observed rate falls from 12/68 (0.176) to 12/72 (0.208). Floor unchanged at 0.13 — still under observed. v0.13.17: catalog grew 72 -> 232 via CISA KEV bulk import; observed rate drops from 0.208 (15/72) to 0.065 (15/232) because KEV records lack AI-attribution metadata. Floor reset to 0.05 with new prepended ladder rung; existing rungs preserved. v0.13.17 round-2: catalog grew further to 312 via additional KEV bulk import; observed rate 0.038 (12/312). Floor lowered to 0.03 with a new prepended ladder rung to keep the test honest under bulk-import dilution. Prior rungs preserved; the 0.40 target ladder is unchanged. AI-attribution backfill for the 240 bulk-imported entries is operator-curation work in future cycles. v0.13.113: catalog grew to 402; observed rate 12/402 (0.0299) fell just under the 0.03 floor, so the floor was lowered to 0.029 with a prepended 0.029 ladder rung (prior rungs and the 0.40 target preserved). v0.13.122: AI-ecosystem CVE tranches grew the catalog to 414; observed rate 12/414 (0.0290) fell just under the 0.029 floor, so the floor was lowered to 0.028 with a prepended 0.028 ladder rung (prior rungs and the 0.40 target preserved). v0.14.27: three non-AI CI/CD supply-chain entries grew the catalog to 423; observed rate 12/423 (0.0284), current_rate updated 0.029 -> 0.028; floor unchanged at 0.028 (still under observed).",
+      "floor_correction_note": "v0.13.4: floor dropped from 0.15 → 0.13 after the v0.13.4 cleanup removed two stuck-draft CVEs (MAL-2026-ANTHROPIC-MCP-STDIO duplicate of CVE-2026-30623 + CVE-2026-GTIG-AI-2FA embargoed placeholder). The GTIG entry was the only ai_discovered=true of the two; catalog observed rate fell from 6/40 (0.15) to 5/38 (0.132). Floor is reset below the new observed rate to keep the test honest, and a new 0.13 rung is prepended to the ladder so monotonic non-decreasing is preserved without rewriting prior rungs. Prior correction note: v0.12.31 floor dropped 0.20 → 0.15 after the cycle-11 intake added six ai_discovered=false entries. v0.13.17: catalog grew 68 -> 72 with 4 non-AI Nightmare-Eclipse entries; observed rate falls from 12/68 (0.176) to 12/72 (0.208). Floor unchanged at 0.13 — still under observed. v0.13.17: catalog grew 72 -> 232 via CISA KEV bulk import; observed rate drops from 0.208 (15/72) to 0.065 (15/232) because KEV records lack AI-attribution metadata. Floor reset to 0.05 with new prepended ladder rung; existing rungs preserved. v0.13.17 round-2: catalog grew further to 312 via additional KEV bulk import; observed rate 0.038 (12/312). Floor lowered to 0.03 with a new prepended ladder rung to keep the test honest under bulk-import dilution. Prior rungs preserved; the 0.40 target ladder is unchanged. AI-attribution backfill for the 240 bulk-imported entries is operator-curation work in future cycles. v0.13.113: catalog grew to 402; observed rate 12/402 (0.0299) fell just under the 0.03 floor, so the floor was lowered to 0.029 with a prepended 0.029 ladder rung (prior rungs and the 0.40 target preserved). v0.13.122: AI-ecosystem CVE tranches grew the catalog to 414; observed rate 12/414 (0.0290) fell just under the 0.029 floor, so the floor was lowered to 0.028 with a prepended 0.028 ladder rung (prior rungs and the 0.40 target preserved). v0.14.27: three non-AI CI/CD supply-chain entries grew the catalog to 423; observed rate 12/423 (0.0284), current_rate updated 0.029 -> 0.028; floor unchanged at 0.028 (still under observed). v0.15.51: three non-AI supply-chain entries (CVE-2022-23812 node-ipc protestware + MAL-2026-TRAPDOOR-CROSS-ECOSYSTEM + MAL-2026-MOIKA-DEPCONFUSION) grew the catalog to 430; observed rate 12/430 (0.0279) fell just under the 0.028 floor, so the floor was lowered to 0.027 with a prepended 0.027 ladder rung (prior rungs and the 0.40 target preserved).",
       "ladder_note": "Test floor advances when each rung is exceeded with a margin (>= floor + 0.05). Surfaces incremental tightening without coincidence-passing failures.",
       "gap_explanation": "Catalog skews toward 2024 vendor-disclosed CVEs (xz-utils, runc, CRI-O, MLflow, containerd, SolarWinds, Citrix, ConnectWise) and Pwn2Own Ireland 2025 entries (Synacktiv, DEVCORE, Summoning Team, CyCraft) where AI-tooling involvement was either not used or not credited in the public disclosure. The 41% figure in AGENTS.md Hard Rule #7 reflects the broader 2025 zero-day population reported by Google Threat Intelligence Group; catalog membership is curated against a different sampling frame (operational impact + framework-coverage need) and so will lag the population-level rate.",
       "discovery_source_enum": [
@@ -92,6 +93,453 @@
     },
     "last_threat_review": "2026-05-30"
   },
+  "CVE-2022-23812": {
+    "name": "node-ipc geo-targeted file-wiper protestware (RU/BY heart-emoji overwrite; peacenotwar dropper in 11.0.0+)",
+    "type": "supply-chain-protestware-wiper",
+    "cvss_score": 9.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_correction_note": "NVD-assigned 9.8 CRITICAL (published 2022-03-16). Vector verbatim from NVD / GHSA-97m3-w2cp-4xx6. RWEP (below) captures the geo-gating that the worst-case CVSS base score does not. NVD scopes the bundled peacenotwar protestware (11.0.0+) under this same CVE id.",
+    "cisa_kev": false,
+    "cisa_kev_date": null,
+    "kev_scope_note": "Local grep of .cache/upstream/kev/known_exploited_vulnerabilities.json (catalogVersion 2026.05.13, 1590 entries) for CVE-2022-23812 returned 0 matches (cross-checked against 130 CVE-2022 entries present, so the 0 is a true absence). CISA KEV historically excludes npm-ecosystem malicious-package events lacking a federally-deployable product; cisa_kev:false is correct.",
+    "poc_available": true,
+    "poc_description": "Live malicious payload — node-ipc 10.1.1 and 10.1.2 (published 2022-03-07/08 by maintainer RIAEvangelist) shipped the file-overwrite logic to the public npm registry and were installable before npm removal. The malicious build IS the PoC; source preserved in archival mirrors and analyzed by Snyk (SNYK-JS-NODEIPC-2426370) and Orca (2022).",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Community / vendor analysis of the published versions within hours (Snyk, GitHub Security Lab, Vue CLI consumers). No AI tool credited; with ai_discovered:false the schema prescribes human_researcher.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "Hand-authored JavaScript by the package maintainer (geo-IP check + recursive file overwrite). No AI-generated-code fingerprint reported.",
+    "active_exploitation": "suspected",
+    "active_exploitation_notes": "Sources (Snyk, Orca, NVD) document the PRESENCE of the destructive payload in published versions and broad exposure (node-ipc was a transitive dependency of Vue CLI), but none cite confirmed real-world victim file-wiping in RU/BY — Orca explicitly notes no documented cases of actual file deletion. Scored \"suspected\" rather than \"confirmed\": exposure via dependency resolution is not the same as observed exploitation (the MAL-2026-NODE-IPC-STEALER sibling earns \"confirmed\" only because Datadog/Socket observed live consumer installs).",
+    "affected": "node-ipc package on npm. Destructive RU/BY file-overwrite payload in 10.1.1 / 10.1.2 (published 2022-03-07/08 by maintainer RIAEvangelist / Brandon Nozaki Miller); removed in 10.1.3. NVD additionally scopes the bundled peacenotwar protestware (WITH-LOVE-FROM-AMERICA.txt desktop drop) into 11.0.0+. node-ipc carried ~1M+ weekly downloads and was a transitive dependency of Vue CLI, broadening exposure across the JS ecosystem.",
+    "affected_versions": [
+      "node-ipc == 10.1.1 (destructive RU/BY file-wiper, published 2022-03-07)",
+      "node-ipc == 10.1.2 (destructive RU/BY file-wiper, published 2022-03-08)",
+      "node-ipc >= 11.0.0 (NVD-scoped peacenotwar protestware dropper)"
+    ],
+    "vector": "Maintainer-authored sabotage (insider supply-chain). The legitimate node-ipc maintainer added code to the published package that, on require('node-ipc'), resolved the host's public-IP geolocation and, if in Russia or Belarus, recursively overwrote writable files with a heart character. A follow-on change bundled the peacenotwar module dropping a WITH-LOVE-FROM-AMERICA.txt protest file. The payload fires on module load (NOT a postinstall hook) — consumer-side --ignore-scripts does NOT mitigate. Class: trusted-maintainer protestware/sabotage, distinct from account-takeover (MAL-2026-NODE-IPC-STEALER) and typosquat (MAL-2025-PYPI-COLORAMA-SOLANA-STEALER).",
+    "complexity": "low",
+    "complexity_notes": "Payload fires automatically on module load in any consumer (direct or transitive via Vue CLI). --ignore-scripts does not mitigate (main-module, not postinstall). Maintainer-side: trivially reproducible by any package owner with publish rights.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "vendor_update_paths": [
+      "Upgrade node-ipc to 10.1.3+ (destructive payload removed) and pin; for the 11.0.0+ peacenotwar range, pin to a pre-11.0.0 line or a maintained fork if the protest-file drop is unacceptable",
+      "Use npm ci with a lockfile predating 2022-03-07 to refuse the malicious versions",
+      "Audit for the heart-character overwrite IoC on any RU/BY-geolocated host that installed 10.1.1 / 10.1.2"
+    ],
+    "framework_control_gaps": {
+      "NIST-800-218-SSDF": "Reused-OSS-component controls assume maintainer good-faith; they do not address trusted-maintainer protestware/sabotage as a supply-chain risk class.",
+      "EU-CRA-Art13": "SBOM / component-inventory records what resolved, not whether a trusted maintainer shipped a destructive payload — a pinned malicious version is SBOM-compliant.",
+      "NIS2-Art21-supply-chain": "Generic supply-chain controls without npm-ecosystem specifics (main-module-vs-postinstall payload distinction, maintainer-intent / geopolitical-sabotage risk).",
+      "UK-CAF-B4": "Outcome-based supply-chain principle does not prescribe defense against insider-maintainer sabotage of a public dependency.",
+      "ISO-27001-2022-A.5.21": "ICT-supply-chain control manages supplier risk but does not frame a trusted upstream maintainer shipping a destructive payload (insider sabotage) as a supply-chain risk."
+    },
+    "atlas_refs": [],
+    "attack_refs": [
+      "T1195.001",
+      "T1485"
+    ],
+    "attack_refs_note": "T1195.001 (Compromise Software Dependencies and Development Tools) = the supply-chain delivery; T1485 (Data Destruction) = the geo-targeted recursive file overwrite. No ATLAS ref: this is not an AI/ML attack.",
+    "rwep_score": 27,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 10,
+      "blast_radius": 12,
+      "patch_available": -15,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_rationale": "Sum = 0+20+0+10+12-15+0+0 = 27 (Shape-B, verified vs lib/scoring.js). poc_available=20 (live payload). active_exploitation=10 ('suspected' ladder x0.5x20 — presence documented, victim impact not confirmed). blast_radius=12 — broad download EXPOSURE (~1M weekly, transitive via Vue CLI) but the DESTRUCTIVE payload is geo-gated to RU/BY, narrowing real blast vs the global MAL-2026-NODE-IPC-STEALER's 28. patch_available=-15 (10.1.3 removed it). live_patch_available=0 (no registry-side live-patch tooling for a 2022 incident). Below the 2026 stealer's 43, reflecting geo-gated impact and no confirmed exploitation.",
+    "epss_score": null,
+    "epss_date": "2026-05-30",
+    "epss_note": "EPSS coverage is not carried for this 2022 npm malicious-package CVE; null.",
+    "cwe_refs": [
+      "CWE-506"
+    ],
+    "source_verified": "2026-05-30",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2022-23812",
+      "https://github.com/advisories/GHSA-97m3-w2cp-4xx6",
+      "https://security.snyk.io/vuln/SNYK-JS-NODEIPC-2426370",
+      "https://orca.security/resources/blog/cve-2022-23812-protestware-malicious-code-node-ipc-npm-package/",
+      "https://tag-security.cncf.io/community/catalog/compromises/2022/node-ipc-peacenotwar/"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Advisory Database (npm)",
+        "advisory_id": "GHSA-97m3-w2cp-4xx6",
+        "url": "https://github.com/advisories/GHSA-97m3-w2cp-4xx6",
+        "severity": "critical",
+        "published_date": "2022-03-16"
+      },
+      {
+        "vendor": "Snyk",
+        "advisory_id": "SNYK-JS-NODEIPC-2426370",
+        "url": "https://security.snyk.io/vuln/SNYK-JS-NODEIPC-2426370",
+        "severity": "critical",
+        "published_date": "2022-03-15"
+      }
+    ],
+    "iocs": {
+      "payload_artifacts": [
+        "Recursive overwrite of writable files with the heart/emoji character on hosts geolocated to Russia/Belarus (node-ipc 10.1.1 / 10.1.2)",
+        "WITH-LOVE-FROM-AMERICA.txt dropped on the desktop by the bundled peacenotwar module (node-ipc 11.0.0+ / peacenotwar dependency)"
+      ],
+      "behavioral": [
+        "On require('node-ipc'), an outbound public-IP geolocation lookup followed by recursive filesystem writes when the host resolves to RU/BY",
+        "Presence of node-ipc 10.1.1 or 10.1.2 in a lockfile resolved from the public registry"
+      ],
+      "forensic_note": "Main-module payload (not postinstall) — --ignore-scripts does not prevent it. The heart-character file overwrite is the destructive IoC; the WITH-LOVE-FROM-AMERICA.txt desktop file is the non-destructive protestware IoC."
+    },
+    "last_updated": "2026-05-30",
+    "discovery_attribution_note": "Disclosed by community / vendor analysis (Snyk, GitHub Security Lab) within hours of the 2022-03-07/08 publish. NVD scopes the destructive RU/BY payload (10.1.1 / 10.1.2) and the peacenotwar protest dropper (11.0.0+) together under CVE-2022-23812. Not AI-discovered.",
+    "remediation_status": "patched_upstream",
+    "remediation_note": "node-ipc 10.1.3 removed the destructive payload (2022-03-08). The 11.0.0+ peacenotwar protestware remained per NVD scoping. Novel defended class for this catalog: trusted-maintainer protestware / sabotage of a high-reach dependency (the catalog previously had account-takeover and typosquat supply-chain classes, not insider-maintainer sabotage).",
+    "remediation_status_verified_at": "2026-05-30",
+    "_editorial_note": "CVE-2022-23812 intake: first trusted-maintainer-protestware/sabotage entry in the catalog. Distinct from MAL-2026-NODE-IPC-STEALER (account-recovery takeover, credential-stealer): this is the original maintainer authoring a geo-targeted destructive payload. Paired zeroday-lesson generates NEW-CTRL-114 (main-module-payload detection — the --ignore-scripts blind spot)."
+  },
+  "MAL-2026-TRAPDOOR-CROSS-ECOSYSTEM": {
+    "name": "TrapDoor cross-ecosystem crypto-stealer + AI-assistant poisoning campaign (npm/PyPI/crates.io)",
+    "type": "supply-chain-credential-stealer",
+    "primary_id": "MAL-2026-4207",
+    "additional_osv_ids": [
+      "MAL-2026-4207 (npm eth-wallet-sentinel; alias GHSA-7r6r-hqg7-f6mq)",
+      "MAL-2026-4218 (npm solidity-deploy-guard; alias GHSA-3r5j-pgc5-q23x)",
+      "MAL-2026-4220 (npm web3-secrets-detector; alias GHSA-qc99-w9r4-jrg5)",
+      "MAL-2026-4282 (npm prompt-engineering-toolkit; alias GHSA-5frg-fmcq-p9cg)",
+      "MAL-2026-4259 (PyPI cryptowallet-safety)",
+      "MAL-2026-4260 (PyPI defi-risk-scanner)",
+      "MAL-2026-4261 (PyPI eth-security-auditor)"
+    ],
+    "cvss_score": 9.3,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L",
+    "cvss_correction_note": "No NVD CVE assigned as of 2026-05-30; CVSS synthesized per OSSF Malicious-Packages convention. AV:N (payload reaches victim via npm/PyPI/crates.io registry channel); UI:R (developer/CI runs install, import, or `cargo build`); S:C (exfiltrated AWS/GitHub/SSH/wallet material + AI-assistant prompt-injection extends blast radius beyond the consuming process). A:L rather than A:H — this is a stealer, not a wiper/ransom payload. Synthesized, marked UNVERIFIED-as-formal-CVSS.",
+    "cisa_kev": false,
+    "cisa_kev_date": null,
+    "kev_scope_note": "CISA KEV scope excludes ecosystem malicious-package campaigns without an assigned NVD CVE. Local grep of known_exploited_vulnerabilities.json (catalogVersion 2026.05.13) for MAL-2026-4207, GHSA-7r6r-hqg7-f6mq, and 'trapdoor' returned 0. cisa_kev:false is correct; active_exploitation:confirmed reflects live registry payloads. Consume OpenSSF MAL feed + Socket/Amazon Inspector advisories for this class.",
+    "poc_available": true,
+    "poc_description": "Live payload. trap-core.js (48,485 bytes / 1,149 lines) shipped across the campaign (19 npm packages per The Hacker News; the GHSA-7r6r-hqg7-f6mq anchor cluster covers 10 npm packages by maintainer ddjidd5640, published 2026-05-19..21); PyPI variants auto-execute on import via `node -e` pulling JS from ddjidd564.github.io; crates.io variants run via build.rs at compile time, XOR-encrypting keystores with hardcoded key 'cargo-build-helper-2026' and exfiltrating to GitHub Gists. The malicious build IS the PoC. [Socket, 2026-05; OSV MAL-2026-4207, 2026-05-26]",
+    "ai_discovered": false,
+    "ai_discovery_source": "vendor_research",
+    "ai_discovery_notes": "Discovered by Socket behavioral/cross-registry detection (median 5m27s, fastest 58s after publication). No AI tool credited for discovery. ai_discovery_source=vendor_research (enum lacks 'ecosystem_detection'). [Socket, 2026-05]",
+    "ai_assisted_weaponization": true,
+    "ai_assisted_notes": "Novel AI-attack vector: the payload plants .cursorrules and CLAUDE.md files containing instructions hidden with zero-width Unicode characters, designed to trick AI coding assistants (Cursor, Claude Code) into running a fake 'security scan' that discovers and exfiltrates local secrets. This is AI-assistant prompt-injection as a weaponization channel, distinct from AI-generated payload code. [Socket, 2026-05; The Hacker News, 2026-05] — maps ATLAS AML.T0051 (LLM prompt injection).",
+    "active_exploitation": "confirmed",
+    "active_exploitation_notes": "Socket observed live installable packages across 384+ versions during the campaign window; some removed, others still live at time of Socket reporting. Amazon Inspector independently catalogued per-version malicious tarballs (IN-MAL-2026-003711..004092). [Socket 2026-05; OSV/Amazon Inspector 2026-05-26]",
+    "affected": "34+ packages / 384+ versions across three registries. npm (19 campaign-wide / 10 in the GHSA-7r6r anchor cluster, publisher cluster incl. 'asdxzxc' per Socket and 'ddjidd5640'/1623682356@qq.com per OSV — see actor-account note): async-pipeline-builder, build-scripts-utils, chain-key-validator, crypto-credential-scanner, defi-env-auditor, defi-threat-scanner, deployment-key-auditor, dev-env-bootstrapper, eth-wallet-sentinel, llm-context-compressor, mnemonic-safety-check, model-switch-router, node-setup-helpers, project-init-tools, prompt-engineering-toolkit, solidity-deploy-guard, token-usage-tracker, wallet-backup-verifier, wallet-security-checker, web3-secrets-detector, workspace-config-loader. PyPI (7, accounts asdmini67/dae5411): cryptowallet-safety, data-pipeline-check, defi-risk-scanner, env-loader-cli, eth-security-auditor, git-config-sync, solidity-build-guard. crates.io (6): move-analyzer-build, move-compiler-tools, move-project-builder, sui-framework-helpers, sui-move-build-helper, sui-sdk-build-utils. Targets crypto/DeFi/Solana/Sui/Aptos and AI-tooling developers.",
+    "actor_account_note": "UNVERIFIED reconciliation: Socket names npm user 'asdxzxc'; OSV/GHSA names npm maintainer 'ddjidd5640' (1623682356@qq.com). Both tie to C2 ddjidd564.github.io — co-actor accounts in one cluster. Exact account↔package mapping not fully reconcilable across the two primary sources.",
+    "vector": "Cross-ecosystem coordinated publish. npm: postinstall executes trap-core.js. PyPI: auto-execute on import — downloads JS from attacker GitHub Pages and runs via `node -e` (lets attacker mutate behavior without republishing). crates.io: build.rs runs at compile time, locates keystores, XOR-encrypts (key 'cargo-build-helper-2026'), exfiltrates to GitHub Gists. All variants: scan for SSH/AWS/GitHub/cloud creds + crypto-wallet extension data (Coinbase, Binance, MetaMask, Brave) + browser data + env vars; validate stolen AWS/GitHub tokens via API; attempt SSH lateral movement; plant persistence (git hooks, shell hooks, systemd, cron, SSH) AND AI-assistant poisoning files (.cursorrules, CLAUDE.md). C2 webhook fetched from ddjidd564.github.io/defi-security-best-practices/config.json (fallback webhook.site).",
+    "complexity": "low",
+    "complexity_notes": "Consumer-side execution automatic on install (npm postinstall), import (PyPI), or compile (crates build.rs). `--ignore-scripts` mitigates npm postinstall but NOT the PyPI import-time or crates build-time triggers. Lure-package naming (security-tool / MCP-server themes) lowers social-engineering cost.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": true,
+    "live_patch_tools": [
+      "Socket (registry-side install-time blocking)",
+      "npm audit / pip-audit / cargo-audit (advisory-driven, post OSV ingest)",
+      "Amazon Inspector (IN-MAL-2026-* per-version detection)",
+      "StepSecurity Harden-Runner (CI egress + install-time blocking)"
+    ],
+    "vendor_update_paths": [
+      "Remove any of the 34 named packages; rotate ALL credentials reachable from a host that installed/imported/compiled them during the 2026-05-19..post-removal window",
+      "Audit .cursorrules and CLAUDE.md in any repo touched by these packages for zero-width-Unicode-hidden instructions",
+      "Lockfile/Cargo.lock/requirements audit against the named version set"
+    ],
+    "framework_control_gaps": {
+      "EU-AI-Act-Art15": "Robustness/accuracy controls for AI systems do not address adversarial prompt-injection planted in repo config files (.cursorrules/CLAUDE.md) that subvert a developer's AI coding assistant into exfiltrating secrets.",
+      "NIS2-Art21-supply-chain": "Generic supply-chain controls; no guidance on cross-ecosystem coordinated campaigns or on AI-assistant config-file poisoning as a supply-chain vector.",
+      "DORA-Art28": "ICT third-party risk controls assume vendor relationships, not transitive OSS lure-packages auto-executing on import/build.",
+      "UK-CAF-B4": "Supply-chain principle does not cover build-time (build.rs) or import-time auto-execution distinct from install-time hooks.",
+      "ISO-27001-2022-A.5.21": "ICT-supply-chain control does not address the developer-workstation AI-assistant trust boundary or cross-ecosystem lure packages auto-executing on import/compile.",
+      "NIST-800-218-SSDF-PW.4": "Reused-component controls assume install-time review; no coverage of AI-assistant config poisoning or compile-time crates triggers."
+    },
+    "atlas_refs": [
+      "AML.T0051",
+      "AML.T0010",
+      "AML.T0020"
+    ],
+    "attack_refs": [
+      "T1195.001",
+      "T1195.002",
+      "T1552.001",
+      "T1552.004",
+      "T1078.004",
+      "T1059.007",
+      "T1567.001"
+    ],
+    "rwep_score": 55,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 15,
+      "active_exploitation": 20,
+      "blast_radius": 25,
+      "patch_available": -15,
+      "live_patch_available": -10,
+      "reboot_required": 0
+    },
+    "rwep_rationale": "Shape-B stored sum = 0+20+15+20+25-15-10+0 = 55 (verified against lib/scoring.js RWEP_WEIGHTS). poc_available=20 (live payload). ai_factor=15 (AI-assistant prompt-injection weaponization via .cursorrules/CLAUDE.md — ai_assisted_weaponization=true). active_exploitation=20 ('confirmed' ladder; live installable packages observed). blast_radius=25 (34+ packages / 384+ versions / 3 ecosystems — broad campaign, but lure packages carry low individual download counts, so below node-ipc's 28 which sat on a single 3.35M-download core dependency). patch_available=-15 + live_patch_available=-10 (registry removals + Socket/Inspector blocking). Higher than node-ipc's 43 — the AI-assistant poisoning vector (+15 ai_factor that node-ipc lacked) is the delta and the entry's differentiator.",
+    "epss_score": null,
+    "epss_date": "2026-05-30",
+    "epss_note": "EPSS coverage does not extend to non-CVE OSSF-MAL identifiers as of 2026-05-30.",
+    "cwe_refs": [
+      "CWE-506",
+      "CWE-829",
+      "CWE-94",
+      "CWE-1357"
+    ],
+    "source_verified": "2026-05-30",
+    "verification_sources": [
+      "https://socket.dev/blog/trapdoor-crypto-stealer-npm-pypi-crates",
+      "https://thehackernews.com/2026/05/trapdoor-supply-chain-attack-spreads.html",
+      "https://api.osv.dev/v1/vulns/MAL-2026-4207",
+      "https://github.com/advisories/GHSA-7r6r-hqg7-f6mq",
+      "https://socradar.io/blog/trapdoor-npm-pypi-cratesio-secrets-ai-tooling/",
+      "https://www.csoonline.com/article/4177019/trapdoor-malware-campaign-puts-developer-workstations-in-ciso-spotlight.html"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Advisory Database (npm)",
+        "advisory_id": "GHSA-7r6r-hqg7-f6mq",
+        "url": "https://github.com/advisories/GHSA-7r6r-hqg7-f6mq",
+        "severity": "critical",
+        "published_date": "2026-05-21"
+      },
+      {
+        "vendor": "OpenSSF Malicious-Packages (OSV)",
+        "advisory_id": "MAL-2026-4207",
+        "url": "https://osv.dev/vulnerability/MAL-2026-4207",
+        "severity": "critical",
+        "published_date": "2026-05-21"
+      },
+      {
+        "vendor": "Amazon Inspector",
+        "advisory_id": "IN-MAL-2026-003711",
+        "url": "https://osv.dev/vulnerability/MAL-2026-4207",
+        "severity": "critical",
+        "published_date": "2026-05-26"
+      },
+      {
+        "vendor": "Socket",
+        "advisory_id": null,
+        "url": "https://socket.dev/blog/trapdoor-crypto-stealer-npm-pypi-crates",
+        "severity": "critical",
+        "published_date": "2026-05-25"
+      }
+    ],
+    "iocs": {
+      "c2_infrastructure": [
+        "ddjidd564.github.io (GitHub Pages C2 / dynamic-config host)",
+        "ddjidd564.github.io/defi-security-best-practices/config.json (webhook URL config)",
+        "ddjidd564.github.io/defi-security-best-practices/ (PyPI remote-JS source)",
+        "webhook.site/8d334... (hardcoded fallback C2 — full token truncated in OSV details, marked UNVERIFIED-full-value)",
+        "GitHub account: ddjidd564 (Gist exfil destination for crates.io variant)"
+      ],
+      "payload_artifacts": [
+        "trap-core.js — 48,485 bytes, 1,149 lines (shared npm payload)",
+        "Per-version SHA-256 tarball hashes catalogued by Amazon Inspector (e.g. eth-wallet-sentinel@2.1.2 = 17ddaa9a220790ae56841039efcd19f37774dd0c9e9047f7f1db0d0b6fd3f650; full set in OSV MAL-2026-4207 database_specific)",
+        "crates.io XOR key: cargo-build-helper-2026; build.rs compile-time trigger",
+        "Campaign marker string: P-2024-001"
+      ],
+      "ai_assistant_poisoning": [
+        ".cursorrules and CLAUDE.md files written into the project containing instructions hidden with zero-width Unicode characters (U+200B/U+200C/U+200D class) that instruct the AI assistant to run a fake 'security scan' triggering local-secret discovery + exfiltration"
+      ],
+      "behavioral": [
+        "postinstall (npm) / import-time `node -e` (PyPI) / build.rs (crates) executing credential-scan over ~/.aws, ~/.ssh, GitHub tokens, browser crypto-wallet-extension stores (Coinbase/Binance/MetaMask/Brave), env vars",
+        "Outbound to ddjidd564.github.io for dynamic C2 config; Gist POST for crates exfil",
+        "AWS/GitHub token-validation API calls from a process that just resolved one of the named packages"
+      ],
+      "forensic_note": "PyPI variant pulls live JS at import time so the on-disk package may not contain the final payload — capture network/DNS to ddjidd564.github.io and snapshot any written .cursorrules/CLAUDE.md before remediating. Zero-width Unicode in repo config is the AI-assistant-poisoning forensic artifact."
+    },
+    "last_updated": "2026-05-30",
+    "discovery_attribution_note": "Discovered and named by Socket (cross-registry behavioral detection, median 5m27s to detect). Corroborated by The Hacker News, CSO Online, SOCRadar, Phoenix Security. Primary machine-readable ids from OSV.dev (OpenSSF malicious-packages / GHSA-malware feed + Amazon Inspector). Discovery class: ecosystem-detection (telemetry-driven, no AI tool on defender side). crates.io packages NOT yet present in OSV as of 2026-05-30 query — their MAL-* ids are UNVERIFIED/pending; only npm + PyPI ids confirmed.",
+    "remediation_status": "partially_removed_from_registry",
+    "remediation_note": "Reported to npm/PyPI/crates.io; some versions removed, others live at Socket's reporting time. Novel defended class: AI-coding-assistant config-file prompt-injection (.cursorrules/CLAUDE.md zero-width Unicode) as a supply-chain exfiltration vector — candidate for a new zeroday-lessons control (AI-ASSISTANT-CONFIG-POISONING-DETECTION).",
+    "remediation_status_verified_at": "2026-05-30",
+    "affected_versions": [
+      "npm: 19 lure packages across the campaign (10 in the GHSA-7r6r-hqg7-f6mq anchor cluster, by maintainer ddjidd5640, published 2026-05-19..21) — all published versions of the named packages are malicious (e.g. eth-wallet-sentinel@2.1.2, SHA-256 in OSV MAL-2026-4207)",
+      "PyPI: cryptowallet-safety / defi-risk-scanner / eth-security-auditor (earliest eth-security-auditor@0.1.0, 2026-05-22) — all published versions malicious (OSV MAL-2026-4259/4260/4261)",
+      "crates.io: move-* / sui-* build-helper packages — all published versions malicious; no OSV MAL-* assigned as of 2026-05-30 (UNVERIFIED pending OSV coverage)"
+    ]
+  },
+  "MAL-2026-MOIKA-DEPCONFUSION": {
+    "name": "oob.moika.tech dependency-confusion credential-exfiltration campaign (internal-scope namespace squat)",
+    "type": "supply-chain-dependency-confusion",
+    "cvss_score": 8.6,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N",
+    "cvss_correction_note": "No NVD CVE assigned as of 2026-05-30; OSV tracks the campaign as per-package MAL-* records (e.g. MAL-2026-4952 / MAL-2026-4978 / MAL-2026-5032), each aliased to an unscored GHSA malicious-package advisory. CVSS synthesized per OSSF Malicious-Packages convention: unauthenticated code execution on `npm install` when a victim's private internal package name resolves to the attacker's inflated-version public scoped package. AV:N (payload reaches the victim over the npm registry channel); UI:R (a developer / CI must run `npm install` against a project referencing the squatted scope); S:C (full process.env exfil including AWS / NPM / GITHUB tokens extends blast radius beyond the install process); C:H/I:N/A:N — observed payload is reconnaissance/exfiltration only (Microsoft: server-side RECON_ONLY toggle), so no confirmed integrity/availability impact yet. The I:N/A:N is conservative and will move if the toggle is flipped to full exploitation.",
+    "cisa_kev": false,
+    "cisa_kev_date": null,
+    "kev_scope_note": "CISA KEV excludes ecosystem-package compromises (npm malicious-package events) with no assigned CVE — its scope is federally-deployable products with CVE identifiers. Local KEV snapshot (catalogVersion 2026.05.13) grepped for `moika` / `cloudplatform-single-spa` / `t-in-one` / `dependency confusion` returned 0 hits; the snapshot also predates the 2026-05-27 campaign. `cisa_kev: false` is correct. Consume KEV-equivalent guidance from the OSV MAL feed + GitHub Advisory Database + ecosystem reporting (SafeDep, Microsoft Security).",
+    "poc_available": true,
+    "poc_description": "Live payload — ~164 (escalated to ~179) malicious scoped packages were published to the public npm registry across two waves (2026-05-27 21:15–21:37 UTC; 2026-05-29 09:01–09:02 UTC) by attacker-controlled accounts mr.4nd3r50n / pik-libs / t-in-one (ce-rwb in the Microsoft cluster). The installable malicious build + obfuscated scripts/postinstall.js stager IS the PoC. Source: OSV MAL-2026-4978; SafeDep 2026-05-29; Microsoft Security 2026-05-29.",
+    "ai_discovered": false,
+    "ai_discovery_source": "vendor_research",
+    "ai_discovery_notes": "No AI-tool credited for discovery. Concurrent ecosystem detection by SafeDep (campaign analysis OSV cites) and Microsoft Security; OSV/GitHub Advisory Database assigned MAL-*/GHSA ids. ai_discovery_source set to `vendor_research` because the enum lacks an `ecosystem_detection` value; this note records the actual provenance.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-tooling credit on the payload-development side. The 7–13 KB obfuscated postinstall stager follows a conventional string-encoding/minifier pattern; no AI-generated-code fingerprint reported by the responding firms. UNVERIFIED whether any tooling was AI-assisted — no source asserts either way.",
+    "active_exploitation": "confirmed",
+    "active_exploitation_notes": "Packages were live and installable on the public npm registry during both exposure windows; the postinstall stager fires automatically on any `npm install` resolving a squatted internal name. Microsoft characterizes the deployed second stage as reconnaissance-only at time of reporting, with a server-side RECON_ONLY toggle that can escalate to full credential weaponization without republishing. Source: Microsoft Security 2026-05-29; SafeDep 2026-05-29.",
+    "affected": "Internal/private npm packages whose scope names were squatted on the PUBLIC registry: @cloudplatform-single-spa, @mlspace, @car-loans, @fb-deposit, @debit-ib, @t-in-one, @capibar.chat, @sber-ecom-core (SafeDep 8-scope set); Microsoft additionally lists @wb-track, @data-science, @ce-rwb, @payments-widget, @travel-autotests (nine-scope cluster, likely same operator). Any organization using these internal scope names is exposed if its install config lets the public registry win resolution. @sber-ecom-core impersonates Sberbank. ~164–179 packages total.",
+    "affected_versions": [
+      "Wave 1 (2026-05-27/28): scoped packages published at inflated version 99.99.99",
+      "Wave 2 (2026-05-29): inflated versions 5.7.1, 99.5.7, 99.5.8, and pre-staged 99.0.7",
+      "Any inflated-version public package under a squatted internal scope — exact-version match in a lockfile is the exposure signal"
+    ],
+    "vector": "Dependency-confusion / namespace-squat. (1) Attacker publishes public npm packages under organizational scopes that mirror a target's INTERNAL package namespaces (e.g. @cloudplatform-single-spa/monitoring). (2) Packages carry inflated semver (99.99.99 etc.) so npm's default version resolution prefers the public package over the private-registry version when no scope→registry mapping pins the internal scope. (3) On `npm install`, the `postinstall` hook runs scripts/postinstall.js (7–13 KB obfuscated): 3s sandbox-evasion delay → OS detect → HTTPS GET https://oob.moika.tech/payload/{mac|win|linux}.js with header X-Secret: l95HdDaz3kQx1Zsg3WxH6HvKANf51RY1 → write to tmpdir → spawn detached subprocess. (4) Second stage POSTs full process.env (NPM_TOKEN, AWS_ACCESS_KEY_ID/SECRET, GITHUB_TOKEN, DB URLs) plus host/user/platform/arch/cwd/Node-version fingerprint to https://oob.moika.tech/report. Social-engineering cover: a fake telemetry disclosure (telemetry.cloudplatform-single-spa.io) + opt-out env var (CLOUDPLATFORM_SINGLE_SPA_NO_TELEMETRY=1 / T_IN_ONE_NO_TELEMETRY) makes the install-time egress read as legitimate corporate telemetry; real exfil goes to oob.moika.tech, not the disclosed domain. Class: dependency-confusion with postinstall second-stage staging — DISTINCT from account-recovery (node-ipc) and main-module payload classes. Source: SafeDep 2026-05-29; Microsoft 2026-05-29; OSV MAL-2026-4978/5032.",
+    "complexity": "low",
+    "complexity_notes": "Consumer-side exploitation is automatic on any `npm install` that resolves a squatted internal name to the public package; no race, no interaction beyond install. --ignore-scripts DOES mitigate (unlike the node-ipc main-module class) because the payload is gated behind the postinstall lifecycle hook. Attacker-side precondition (knowing a target's internal scope names) is low-complexity — scope names routinely leak via public source, CI logs, error traces, and job postings.",
+    "patch_available": true,
+    "patch_required_reboot": false,
+    "live_patch_available": true,
+    "live_patch_tools": [
+      "npm yank / GitHub-driven removal of the malicious versions (registry-side)",
+      "Scope-to-registry pinning in .npmrc (@scope:registry=) so internal scopes never resolve to the public registry — the structural fix for the whole class",
+      "npm install --ignore-scripts (blocks the postinstall stager specifically)",
+      "Socket / StepSecurity Harden-Runner (install-time + egress blocking)",
+      "Snyk / OSV-scanner / Semgrep Supply Chain (lockfile audit against MAL-*/GHSA set)"
+    ],
+    "vendor_update_paths": [
+      "Pin every internal scope to the private registry in project + CI .npmrc (@cloudplatform-single-spa:registry=…, etc.); this prevents public-registry resolution regardless of version inflation",
+      "Lockfile audit: scan package-lock.json / yarn.lock / pnpm-lock.yaml for any of the squatted scopes resolved to a public-registry tarball at an inflated version",
+      "Rotate every credential exposed as an env var on any host (dev or CI) that ran an affected install during the exposure windows — NPM_TOKEN, AWS keys, GITHUB_TOKEN, DB URLs",
+      "Block egress to oob.moika.tech and the t-in-one.io lure domains at the network layer"
+    ],
+    "framework_control_gaps": {
+      "NIST-800-218-SSDF": "PW/PS component-provenance controls assume the consumed package is the intended one; SSDF does not mandate scope→registry pinning, so a dependency-confusion resolution is SSDF-conformant.",
+      "EU-CRA-Art13": "SBOM/component-inventory requirement records WHAT resolved, not whether the resolution SHOULD have gone to a private registry — a confused public package is SBOM-listed and CRA-compliant.",
+      "NIS2-Art21-supply-chain": "Generic supply-chain risk-management without npm-ecosystem specifics: no requirement for scope-registry pinning, postinstall-hook policy, or internal-namespace-squat monitoring on public registries.",
+      "EU-AI-Act-Art15": "For the @mlspace / @data-science ML-tooling scopes, the robustness/accuracy controls do not address poisoning of the ML build/dev toolchain via dependency confusion.",
+      "UK-CAF-B4": "CAF B4 supply-chain principle is outcome-based and does not prescribe registry-resolution hardening; a confused dependency satisfies B4 on paper.",
+      "ISO-27001-2022-A.5.21": "ICT supply-chain control requires managing supplier risk but does not extend to public-registry namespace collisions with internal package scopes.",
+      "NIST-800-53-SR-11": "Supply-chain controls SR-3 (controls) / SR-11 (component authenticity) cover tampering/counterfeit but not legitimate-resolution-of-the-wrong-source via version inflation.",
+      "SLSA-v1.0-Build-L3": "Build provenance attests who built a given artifact; it cannot assert that the artifact the resolver SELECTED is the one the org intended — provenance is orthogonal to dependency-confusion."
+    },
+    "atlas_refs": [
+      "AML.T0010",
+      "AML.T0020"
+    ],
+    "atlas_refs_note": "AML.T0010 (ML Supply Chain Compromise) and AML.T0020 (Poison Training Data — adjacent for the @mlspace/@data-science ML-tooling scopes). Pinned ATLAS v5.1.0. Mapped because the campaign explicitly targets ML-tooling internal scopes; if neither ATLAS technique survives review for a non-ML dependency-confusion case, fall back to ATT&CK-only (orphaned-control rule).",
+    "attack_refs": [
+      "T1195.001",
+      "T1195.002",
+      "T1059.007",
+      "T1552.001",
+      "T1041",
+      "T1071.001"
+    ],
+    "attack_refs_note": "T1195.001 (Compromise SW Dependencies & Dev Tools) + .002 (Compromise SW Supply Chain) = the dependency-confusion core; T1059.007 (JavaScript postinstall execution); T1552.001 (Credentials in Files/env) — process.env harvest; T1041 (Exfil over C2 channel) / T1071.001 (Web protocols) — HTTPS POST to oob.moika.tech.",
+    "rwep_score": 43,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 20,
+      "blast_radius": 28,
+      "patch_available": -15,
+      "live_patch_available": -10,
+      "reboot_required": 0
+    },
+    "rwep_rationale": "RWEP, not CVSS-alone. Sum = 0+20+0+20+28-15-10+0 = 43 (Shape-B, verified vs lib/scoring.js). poc_available=20 (live malicious packages, two waves). active_exploitation=20 (installable + auto-firing postinstall during the windows; Microsoft confirms a deployed-and-running stage). blast_radius=28 (full process.env on a CI runner = total deployment-secret compromise; ~164-179 packages across 8-9 scopes incl. a bank impersonation). patch_available=-15 + live_patch_available=-10 (registry removal + scope->registry pinning structural fix + scanner/Harden-Runner blocking). Matches the MAL-2026-NODE-IPC-STEALER exemplar shape (43).",
+    "epss_score": null,
+    "epss_date": "2026-05-30",
+    "epss_note": "EPSS does not cover non-CVE OSV-MAL identifiers as of 2026-05-30.",
+    "cwe_refs": [
+      "CWE-1357",
+      "CWE-829",
+      "CWE-506",
+      "CWE-427"
+    ],
+    "cwe_refs_note": "CWE-1357 (reliance on insufficiently trustworthy component), CWE-829 (inclusion of functionality from untrusted control sphere — the dependency-confusion core), CWE-506 (embedded malicious code), CWE-427 (uncontrolled search path element — the resolution-precedence abuse analogue).",
+    "source_verified": "2026-05-30",
+    "verification_sources": [
+      "https://osv.dev/vulnerability/MAL-2026-4978",
+      "https://osv.dev/vulnerability/MAL-2026-5032",
+      "https://osv.dev/vulnerability/MAL-2026-4952",
+      "https://safedep.io/oob-moika-tech-dependency-confusion-campaign/",
+      "https://www.microsoft.com/en-us/security/blog/2026/05/29/33-malicious-npm-packages-abuse-dependency-confusion-profile-developer-environments/"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "OSV.dev (OpenSSF)",
+        "advisory_id": "MAL-2026-4978",
+        "url": "https://osv.dev/vulnerability/MAL-2026-4978",
+        "severity": "critical",
+        "published_date": "2026-05-28"
+      },
+      {
+        "vendor": "OSV.dev (OpenSSF)",
+        "advisory_id": "MAL-2026-4952",
+        "url": "https://osv.dev/vulnerability/MAL-2026-4952",
+        "severity": "critical",
+        "published_date": "2026-05-28"
+      },
+      {
+        "vendor": "OSV.dev (OpenSSF)",
+        "advisory_id": "MAL-2026-5032",
+        "url": "https://osv.dev/vulnerability/MAL-2026-5032",
+        "severity": "critical",
+        "published_date": "2026-05-29"
+      },
+      {
+        "vendor": "GitHub Advisory Database",
+        "advisory_id": "GHSA-pjmq-qghr-v939",
+        "url": "https://github.com/advisories/GHSA-pjmq-qghr-v939",
+        "severity": "critical",
+        "published_date": "2026-05-28"
+      },
+      {
+        "vendor": "GitHub Advisory Database",
+        "advisory_id": "GHSA-jvj5-w453-mjrh",
+        "url": "https://github.com/advisories/GHSA-jvj5-w453-mjrh",
+        "severity": "critical",
+        "published_date": "2026-05-28"
+      },
+      {
+        "vendor": "GitHub Advisory Database",
+        "advisory_id": "GHSA-6rfw-m3fj-7g8q",
+        "url": "https://github.com/advisories/GHSA-6rfw-m3fj-7g8q",
+        "severity": "critical",
+        "published_date": "2026-05-29"
+      }
+    ],
+    "vendor_advisories_note": "OSV/GHSA assign per-package malicious-package records; the three MAL-*/GHSA pairs above are a representative sample (Wave 1 mr.4nd3r50n + Wave 2 t-in-one). GHSA malicious-package advisories are unscored by GitHub; severity=critical reflects the OSSF-MAL credential-exfil convention, not a published GHSA CVSS.",
+    "iocs": {
+      "network": [
+        "C2: oob.moika.tech — exfil endpoint https://oob.moika.tech/report (POST full process.env + host fingerprint)",
+        "Second-stage payload host: https://oob.moika.tech/payload/{mac|win|linux}.js (or /payload/{mac|win|linux})",
+        "Lure / social-engineering domains: npm.t-in-one.io, docs.t-in-one.io, jira.t-in-one.io; fake-telemetry disclosure domain telemetry.cloudplatform-single-spa.io",
+        "HTTP request header on ALL C2 calls: X-Secret: l95HdDaz3kQx1Zsg3WxH6HvKANf51RY1 (shared across all operator accounts — single-operator fingerprint)"
+      ],
+      "payload_artifacts": [
+        "scripts/postinstall.js in the package tarball — 7–13 KB obfuscated stager; presence of a postinstall hook on a freshly-published scoped package at an inflated version is the primary tarball IoC",
+        "Dropped tmpdir payloads: ._cloudplatform-single-spa_init.js, ._wb-track_init.js, ._t-in-one_init.js",
+        "Dedup/marker cache dirs: ~/.cache/._cloudplatform-single-spa_init/, ~/.cache/._t-in-one_init/"
+      ],
+      "behavioral": [
+        "An `npm install` resolving any of the squatted scopes spawns a detached child ~3s after install, then issues HTTPS GET to oob.moika.tech/payload and HTTPS POST to oob.moika.tech/report carrying high-volume env data",
+        "Process reads/serializes the full process.env (no key filtering) immediately before an outbound POST — the raw-env-dump-then-exfil sequence is the credential-harvest fingerprint",
+        "Kill-switch env vars present in the install environment: CLOUDPLATFORM_SINGLE_SPA_NO_TELEMETRY, T_IN_ONE_NO_TELEMETRY, or *_RECON_ONLY / *_PKG / *_VER / *_SECRET"
+      ],
+      "version_exposure": [
+        "Lockfile contains any of the squatted scopes (@cloudplatform-single-spa, @mlspace, @car-loans, @fb-deposit, @debit-ib, @t-in-one, @capibar.chat, @sber-ecom-core, @wb-track, @data-science, @ce-rwb, @payments-widget, @travel-autotests) resolved to a PUBLIC-registry tarball at version 99.99.99 / 5.7.1 / 99.5.7 / 99.5.8 / 99.0.7"
+      ],
+      "publisher_metadata": [
+        "npm publisher account mr.4nd3r50n (mr.4nd3r50n@yandex.ru), pik-libs, t-in-one (t-in-one@yandex.ru / nath.dr4k3@gmail.com), or ce-rwb (ogvanta@yandex.ru) on a scoped tarball"
+      ],
+      "forensic_note": "The structural defense is scope→registry pinning, not yank — yanking individual packages does not prevent the NEXT inflated-version publish under the same scope. Audit every internal scope for a public-registry counterpart and pin it. Pull DNS + proxy logs for oob.moika.tech across both exposure windows; the POST to /report is the proof the payload fired AND exfil succeeded (postinstall execution alone does not prove successful exfil)."
+    },
+    "last_updated": "2026-05-30",
+    "discovery_attribution_note": "Concurrent ecosystem detection: SafeDep published the consolidated campaign analysis (https://safedep.io/oob-moika-tech-dependency-confusion-campaign/) OSV cites as the canonical reference; Microsoft Security published independent analysis 2026-05-29. OSV.dev / GitHub Advisory Database assigned per-package MAL-*/GHSA identifiers. No single human researcher credited; no AI-tool credit on the defender side. Discovery class: ecosystem-detection (telemetry/registry-monitoring driven). Source-count ambiguity: package count reported as 164 (SafeDep initial), 179 (SafeDep escalation by 2026-05-29), 45 (Microsoft article body: 26 mr.4nd3r50n + 7 ce-rwb + 12 t-in-one; the \"33\" in the URL slug is superseded by the body); the SafeDep figure is carried in `affected`, the Microsoft figure retained here for audit reconciliation. Scope sets differ between the two reports (8 vs 9 named scopes) — both retained.",
+    "_editorial_note": "MOIKA (oob.moika.tech) intake: NOVEL attack class for this catalog — first dependency-confusion / internal-scope-squat entry (catalog previously had zero). Distinct from MAL-2026-NODE-IPC-STEALER (account-recovery, main-module payload, DNS-TXT exfil): MOIKA is namespace-confusion, postinstall stager, HTTPS-POST exfil, --ignore-scripts-mitigable. Likely warrants a new zeroday-lessons control (PACKAGE-INTERNAL-SCOPE-REGISTRY-PINNING). RWEP 43 (exemplar convention: live_patch_available credited -10).js (would be 43 under the exemplar's -10 convention).",
+    "remediation_status": "partially_removed_from_registry",
+    "remediation_note": "Malicious packages were reported and are being removed from npm; OSV/GHSA records published 2026-05-28/29. Removal is per-package and reactive — the structural risk (any attacker can re-publish an inflated version under an unpinned internal scope) persists until consuming orgs pin internal scopes to their private registry. UNVERIFIED: whether all ~179 packages were removed and whether all four publisher accounts were deactivated as of 2026-05-30 (no source confirms complete takedown).",
+    "remediation_status_verified_at": "2026-05-30"
+  },
   "CVE-2025-0282": {
     "ai_assisted_weaponization": false,
     "name": "Ivanti Connect Secure / Policy Secure / Neurons for ZTA stack-overflow preauth RCE",
@@ -17178,9 +17626,9 @@
     "affected": "Weaviate OSS before the branch fixes 1.30.20, 1.31.19, 1.32.16, and 1.33.4 (the GHSA ships per-maintained-branch patches).",
     "affected_versions": [
       "Weaviate OSS < 1.30.20",
-        "Weaviate OSS >= 1.31.0-rc.0, < 1.31.19",
-        "Weaviate OSS >= 1.32.0-rc.0, < 1.32.16",
-        "Weaviate OSS >= 1.33.0-rc.0, < 1.33.4"
+      "Weaviate OSS >= 1.31.0-rc.0, < 1.31.19",
+      "Weaviate OSS >= 1.32.0-rc.0, < 1.32.16",
+      "Weaviate OSS >= 1.33.0-rc.0, < 1.33.4"
     ],
     "vector": "Weaviate OSS does not constrain backup entry paths during restore, so an attacker with insert/write access crafts entries with absolute or ../ traversal paths that escape the restore root (CWE-22 ZipSlip), creating or overwriting files in arbitrary locations on the Weaviate host.",
     "complexity": "low",

package/data/cwe-catalog.json

@@ -429,7 +429,8 @@
       "CVE-2026-45829",
       "CVE-2026-5760",
       "CVE-2026-6973",
-      "MAL-2026-3083"
+      "MAL-2026-3083",
+      "MAL-2026-TRAPDOOR-CROSS-ECOSYSTEM"
     ],
     "framework_controls_partially_addressing": [
       "NIST-800-53-SI-10",
@@ -1425,7 +1426,10 @@
       "MAL-2026-3083",
       "MAL-2026-NODE-IPC-STEALER",
       "MAL-2026-SHAI-HULUD-OSS",
-      "MAL-2026-TANSTACK-MINI"
+      "MAL-2026-TANSTACK-MINI",
+      "CVE-2022-23812",
+      "MAL-2026-TRAPDOOR-CROSS-ECOSYSTEM",
+      "MAL-2026-MOIKA-DEPCONFUSION"
     ],
     "framework_controls_partially_addressing": [
       "NIST-800-53-SA-12",
@@ -1745,7 +1749,9 @@
       "CVE-2025-54136",
       "CVE-2025-64496",
       "MAL-2026-NODE-IPC-STEALER",
-      "MAL-2026-SHAI-HULUD-OSS"
+      "MAL-2026-SHAI-HULUD-OSS",
+      "MAL-2026-TRAPDOOR-CROSS-ECOSYSTEM",
+      "MAL-2026-MOIKA-DEPCONFUSION"
     ],
     "framework_controls_partially_addressing": [
       "NIST-800-53-SA-12",
@@ -2021,7 +2027,9 @@
       "CVE-2024-3094",
       "CVE-2026-30615",
       "CVE-2026-45321",
-      "MAL-2026-NODE-IPC-STEALER"
+      "MAL-2026-NODE-IPC-STEALER",
+      "MAL-2026-TRAPDOOR-CROSS-ECOSYSTEM",
+      "MAL-2026-MOIKA-DEPCONFUSION"
     ],
     "framework_controls_partially_addressing": [
       "NIST-800-53-SA-12",
@@ -3177,7 +3185,9 @@
       "CWE-2000"
     ],
     "related_weaknesses": [],
-    "evidence_cves": [],
+    "evidence_cves": [
+      "MAL-2026-MOIKA-DEPCONFUSION"
+    ],
     "last_verified": "2026-05-19",
     "notes": "Bulk-imported v0.13.18 from the canonical MITRE Top 25 + commonly-referenced-class expansion.",
     "_auto_imported": true,