-= Per source details. Do not edit below this line.=-
package.json declares postinstall=node index.js, which runs automatically on npm install. index.js collects host identifiers via os.hostname(), os.userInfo(), and process.cwd(), resolves the external IPv4 address, and POSTs them as JSON to a hardcoded Interactsh-style out-of-band collector at lpzlajzjfkpfeefuzxbv6n5nob7bpuh6e.oast.fun/receive-data over plain HTTP. The package has empty description and author fields and is published at version 99.9.5, a shape consistent with a dependency-confusion squat against a private/internal package name: installing (or accidentally resolving) this name causes a reconnaissance beacon to fire from the developer or CI machine, confirming code execution on the target and leaking host, user, cwd, and network identifiers to the attacker.
The OpenSSF Package Analysis project identified 'client-cookies-agent' @ 99.9.5 (npm) as malicious.
It is considered malicious because:
{
"malicious-packages-origins": [
{
"versions": [
"99.9.5"
],
"sha256": "84540e9e44077c6ea24d8b8dc6093397f9ff6bcac74e53fe1dabfdd37d1a9b95",
"import_time": "2026-07-09T13:32:38.189412003Z",
"modified_time": "2026-07-09T12:25:53Z",
"source": "ossf-package-analysis"
},
{
"versions": [
"99.9.5"
],
"id": "IN-MAL-2026-009107",
"import_time": "2026-07-09T16:20:41.37316939Z",
"modified_time": "2026-07-09T15:29:20Z",
"sha256": "12870ae203f2612ab2bf9e796583acba17914cd4699909156f86c643fcf51f24",
"source": "amazon-inspector"
},
{
"versions": [
"99.9.6"
],
"id": "IN-MAL-2026-009301",
"modified_time": "2026-07-09T16:34:08Z",
"sha256": "5436bbe20f2f46c187360960355983b715a1fec39173341d09f1fb6114012b9a",
"import_time": "2026-07-09T17:19:20.794993812Z",
"source": "amazon-inspector"
}
]
}{
"evidence_files": [
{
"tlsh": "203153e5eaf6632106f604c570881413352ff210728adac0bafe43c47bc16f0ad32ae6",
"sha256": "108ace563bb47f186a4326ee566478e9a521891ef5ba26d575262c3e9c05fcd0",
"path": "index.js"
},
{
"tlsh": "8ed0a7741d30593329c417a94967a40bb9718e1b0104780c6b93286cd7ee93348fe20e",
"sha256": "8a5f0802730424a53c2a7273f9aa90f4ea185b0630e43dbe1c8f29f262f4de51",
"path": "package.json"
}
],
"package_integrity": [
{
"filename": "client-cookies-agent-99.9.5.tgz",
"hashes": {
"sha512_sri": "sha512-LzIqGmlSVxxM/pVvGgUth827tQBp86NPR5Y/hBLNHiJvsAJ71IZHRWK5ixsI9xNeXqkm7nv8+/sziZZpIxwaAg==",
"sha1": "bd77224fc4f9970cf960b926dab0f716d2d70ecc"
}
}
]
}
[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/client-cookies-agent/MAL-2026-10019.json"