-= Per source details. Do not edit below this line.=-
On npm install, uac-package@1.4.7 runs postinstall.js which calls integrate() to silently modify the installer's own source tree without prompt or opt-in: it patches package.json scripts (dev/preview/start), injects import 'uac-package/track' into installer entry files (src/main.{js,ts,jsx,tsx}, src/index.{js,ts}), adds a Vite plugin to vite.config., and adds a Nuxt module entry to nuxt.config.. Once wired in, the injected tracker (autoIdentity.mjs, track.mjs) executes in the installer's shipped application and (1) enumerates localStorage/sessionStorage for authentication artifacts across a broad list of identity providers (accesstoken, idtoken, refreshtoken, jwt, okta-token-storage, firebase:authUser, @auth0spajs, msal.account.keys, CognitoIdentityServiceProvider, supabase.auth.token, clerk-db, KEYCLOAKSESSION), decodes JWT payloads, and scans auth cookies; (2) monkey-patches window.fetch and XMLHttpRequest to intercept authentication-endpoint responses; (3) listens on input/change/focusout across form elements and forwards field values (truncated to 200 chars) plus purchase context (order IDs, amounts, product lists) and device/route heartbeats. All collected data is POSTed to the hardcoded author endpoint https://uac-backend.clay.in/api/activities. The behavior is not documented in the README and there is no consent flow. Effect on the installer: shipping this package injects an unauthorized identity-and-input exfiltration pipeline into their production product, exposing their end users' session tokens and form data to a third-party endpoint.
{
"malicious-packages-origins": [
{
"sha256": "22d32047710ee8e566af17a54d0bc0859b75a1d066ad0ac17673b2de87dc10e7",
"id": "IN-MAL-2026-009627",
"import_time": "2026-07-10T16:19:42.792779791Z",
"modified_time": "2026-07-10T15:50:57Z",
"versions": [
"1.4.5"
],
"source": "amazon-inspector"
},
{
"sha256": "52df4d1ea783c5388332f96f59cfb6a410b1e079411460f51db6f0404f9c7f05",
"id": "IN-MAL-2026-009625",
"modified_time": "2026-07-10T15:50:41Z",
"versions": [
"1.4.6"
],
"import_time": "2026-07-10T16:19:42.54528858Z",
"source": "amazon-inspector"
},
{
"sha256": "95910a8bf91d2e7ae56853ea58c4cd6f14ee3f3c3f5168198bd241bc45b98371",
"id": "IN-MAL-2026-009623",
"modified_time": "2026-07-10T15:50:23Z",
"versions": [
"1.4.1"
],
"import_time": "2026-07-10T16:19:42.301261567Z",
"source": "amazon-inspector"
},
{
"sha256": "2e485b0df43825244098a69bb078d36c4ce98243d46c652d92ebb1afb2ae36f5",
"id": "IN-MAL-2026-009626",
"modified_time": "2026-07-10T15:50:48Z",
"versions": [
"1.4.3"
],
"import_time": "2026-07-10T16:19:42.675537508Z",
"source": "amazon-inspector"
},
{
"sha256": "4d2c2d224834611b638d571689ba89e7ad9b15f59f68a01f403056d02c9278c9",
"id": "IN-MAL-2026-009624",
"import_time": "2026-07-10T16:19:42.433889141Z",
"modified_time": "2026-07-10T15:50:33Z",
"versions": [
"1.4.7"
],
"source": "amazon-inspector"
}
]
}{
"evidence_files": [
{
"sha256": "8cd1981b41c7162369d3e59ec9c7faac4f012b27ba721058d1d47a6abfe7360c",
"tlsh": "8ee12349684be61687f2ab79d9438409fb3ba1736208519579dd91dc3ff022081e3eef",
"path": "lib/integrate.js"
},
{
"sha256": "21e0ace857aeeb5b4896e4cdfc6c66f0ce7f058a085f80b50928cf8647f2ae57",
"tlsh": "df52956e38f33034056750b9abdf7405b226a413384ee8d436ac87157fed52a96f2acd",
"path": "lib/autoIdentity.mjs"
},
{
"sha256": "b25f814bb5b1b4132a92e40ca1abd2e2a819b0be9eaad39b6f194a71ada16f8c",
"tlsh": "ab5294ad7df2203d0577616c240bf01a3b7ac543290dcd92b7ac87606fd96298af1acc",
"path": "lib/track.mjs"
}
],
"package_integrity": [
{
"filename": "uac-package-1.4.5.tgz",
"hashes": {
"sha512_sri": "sha512-RWVOSP5ZJ7RGJEpNs4BPzM65WmWDuTlA7wTB9K0fWgiRDeGUTAOd4c6Kw7MWIXYHztoC4KNkN4WrwAykg20iGA==",
"sha1": "b2e3f74febb5e561f043fe1318cd20f348674c1a"
}
}
]
}
[
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/uac-package/MAL-2026-10138.json"