MAL-2026-10019

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/client-cookies-agent/MAL-2026-10019.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10019
Published
2026-07-09T12:25:53Z
Modified
2026-07-09T17:31:58.919304571Z
Summary
Malicious code in client-cookies-agent (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (12870ae203f2612ab2bf9e796583acba17914cd4699909156f86c643fcf51f24)

package.json declares postinstall=node index.js, which runs automatically on npm install. index.js collects host identifiers via os.hostname(), os.userInfo(), and process.cwd(), resolves the external IPv4 address, and POSTs them as JSON to a hardcoded Interactsh-style out-of-band collector at lpzlajzjfkpfeefuzxbv6n5nob7bpuh6e.oast.fun/receive-data over plain HTTP. The package has empty description and author fields and is published at version 99.9.5, a shape consistent with a dependency-confusion squat against a private/internal package name: installing (or accidentally resolving) this name causes a reconnaissance beacon to fire from the developer or CI machine, confirming code execution on the target and leaking host, user, cwd, and network identifiers to the attacker.

Source: ossf-package-analysis (84540e9e44077c6ea24d8b8dc6093397f9ff6bcac74e53fe1dabfdd37d1a9b95)

The OpenSSF Package Analysis project identified 'client-cookies-agent' @ 99.9.5 (npm) as malicious.

It is considered malicious because:

  • The package communicates with a domain associated with malicious activity.
Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "99.9.5"
            ],
            "sha256": "84540e9e44077c6ea24d8b8dc6093397f9ff6bcac74e53fe1dabfdd37d1a9b95",
            "import_time": "2026-07-09T13:32:38.189412003Z",
            "modified_time": "2026-07-09T12:25:53Z",
            "source": "ossf-package-analysis"
        },
        {
            "versions": [
                "99.9.5"
            ],
            "id": "IN-MAL-2026-009107",
            "import_time": "2026-07-09T16:20:41.37316939Z",
            "modified_time": "2026-07-09T15:29:20Z",
            "sha256": "12870ae203f2612ab2bf9e796583acba17914cd4699909156f86c643fcf51f24",
            "source": "amazon-inspector"
        },
        {
            "versions": [
                "99.9.6"
            ],
            "id": "IN-MAL-2026-009301",
            "modified_time": "2026-07-09T16:34:08Z",
            "sha256": "5436bbe20f2f46c187360960355983b715a1fec39173341d09f1fb6114012b9a",
            "import_time": "2026-07-09T17:19:20.794993812Z",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / client-cookies-agent

Package

Name
client-cookies-agent
View open source insights on deps.dev
Purl
pkg:npm/client-cookies-agent

Affected ranges

Affected versions

99.*
99.9.5
99.9.6

Database specific

indicators
{
    "evidence_files": [
        {
            "tlsh": "203153e5eaf6632106f604c570881413352ff210728adac0bafe43c47bc16f0ad32ae6",
            "sha256": "108ace563bb47f186a4326ee566478e9a521891ef5ba26d575262c3e9c05fcd0",
            "path": "index.js"
        },
        {
            "tlsh": "8ed0a7741d30593329c417a94967a40bb9718e1b0104780c6b93286cd7ee93348fe20e",
            "sha256": "8a5f0802730424a53c2a7273f9aa90f4ea185b0630e43dbe1c8f29f262f4de51",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "filename": "client-cookies-agent-99.9.5.tgz",
            "hashes": {
                "sha512_sri": "sha512-LzIqGmlSVxxM/pVvGgUth827tQBp86NPR5Y/hBLNHiJvsAJ71IZHRWK5ixsI9xNeXqkm7nv8+/sziZZpIxwaAg==",
                "sha1": "bd77224fc4f9970cf960b926dab0f716d2d70ecc"
            }
        }
    ]
}
cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/client-cookies-agent/MAL-2026-10019.json"