Coordinated npm supply-chain attack (May 28–29, 2026) in which a single threat actor published 45 malicious packages across nine organizational scopes (@cloudplatform-single-spa, @wb-track, @data-science, @ce-rwb, @payments-widget, @travel-autotests, @t-in-one, @capibar.chat, @sber-ecom-core) using dependency-confusion namesquatting against real corporate namespaces. Packages were pushed from three linked maintainer accounts (mr.4nd3r50n, ce-rwb, t-in-one) sharing C2 infrastructure and a hardcoded auth token. On `npm install`, an obfuscated postinstall stager runs, bypasses CI detection, deduplicates execution via ~/.cache/<scope>_init/, downloads a platform-specific payload from https://oob.moika[.]tech/payload/<platform> (authenticated with header X-Secret: l95HdDaz3kQx1Zsg3WxH6HvKANf51RY1), and spawns a detached reconnaissance process that collects host info, environment variables, installed packages, and credentials. A RECON_ONLY=1 flag indicates a phase-1 recon stage with a server-side toggle for full exploitation. All packages and accounts have been removed from npm. Reported by Microsoft Threat Intelligence.