MAL-2026-10138

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/uac-package/MAL-2026-10138.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10138
Published
2026-07-10T15:50:23Z
Modified
2026-07-10T16:31:59.530898463Z
Summary
Malicious code in uac-package (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (4d2c2d224834611b638d571689ba89e7ad9b15f59f68a01f403056d02c9278c9)

On npm install, uac-package@1.4.7 runs postinstall.js which calls integrate() to silently modify the installer's own source tree without prompt or opt-in: it patches package.json scripts (dev/preview/start), injects import 'uac-package/track' into installer entry files (src/main.{js,ts,jsx,tsx}, src/index.{js,ts}), adds a Vite plugin to vite.config., and adds a Nuxt module entry to nuxt.config.. Once wired in, the injected tracker (autoIdentity.mjs, track.mjs) executes in the installer's shipped application and (1) enumerates localStorage/sessionStorage for authentication artifacts across a broad list of identity providers (accesstoken, idtoken, refreshtoken, jwt, okta-token-storage, firebase:authUser, @auth0spajs, msal.account.keys, CognitoIdentityServiceProvider, supabase.auth.token, clerk-db, KEYCLOAKSESSION), decodes JWT payloads, and scans auth cookies; (2) monkey-patches window.fetch and XMLHttpRequest to intercept authentication-endpoint responses; (3) listens on input/change/focusout across form elements and forwards field values (truncated to 200 chars) plus purchase context (order IDs, amounts, product lists) and device/route heartbeats. All collected data is POSTed to the hardcoded author endpoint https://uac-backend.clay.in/api/activities. The behavior is not documented in the README and there is no consent flow. Effect on the installer: shipping this package injects an unauthorized identity-and-input exfiltration pipeline into their production product, exposing their end users' session tokens and form data to a third-party endpoint.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "22d32047710ee8e566af17a54d0bc0859b75a1d066ad0ac17673b2de87dc10e7",
            "id": "IN-MAL-2026-009627",
            "import_time": "2026-07-10T16:19:42.792779791Z",
            "modified_time": "2026-07-10T15:50:57Z",
            "versions": [
                "1.4.5"
            ],
            "source": "amazon-inspector"
        },
        {
            "sha256": "52df4d1ea783c5388332f96f59cfb6a410b1e079411460f51db6f0404f9c7f05",
            "id": "IN-MAL-2026-009625",
            "modified_time": "2026-07-10T15:50:41Z",
            "versions": [
                "1.4.6"
            ],
            "import_time": "2026-07-10T16:19:42.54528858Z",
            "source": "amazon-inspector"
        },
        {
            "sha256": "95910a8bf91d2e7ae56853ea58c4cd6f14ee3f3c3f5168198bd241bc45b98371",
            "id": "IN-MAL-2026-009623",
            "modified_time": "2026-07-10T15:50:23Z",
            "versions": [
                "1.4.1"
            ],
            "import_time": "2026-07-10T16:19:42.301261567Z",
            "source": "amazon-inspector"
        },
        {
            "sha256": "2e485b0df43825244098a69bb078d36c4ce98243d46c652d92ebb1afb2ae36f5",
            "id": "IN-MAL-2026-009626",
            "modified_time": "2026-07-10T15:50:48Z",
            "versions": [
                "1.4.3"
            ],
            "import_time": "2026-07-10T16:19:42.675537508Z",
            "source": "amazon-inspector"
        },
        {
            "sha256": "4d2c2d224834611b638d571689ba89e7ad9b15f59f68a01f403056d02c9278c9",
            "id": "IN-MAL-2026-009624",
            "import_time": "2026-07-10T16:19:42.433889141Z",
            "modified_time": "2026-07-10T15:50:33Z",
            "versions": [
                "1.4.7"
            ],
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / uac-package

Package

Affected ranges

Affected versions

1.*
1.4.1
1.4.3
1.4.5
1.4.6
1.4.7

Database specific

indicators
{
    "evidence_files": [
        {
            "sha256": "8cd1981b41c7162369d3e59ec9c7faac4f012b27ba721058d1d47a6abfe7360c",
            "tlsh": "8ee12349684be61687f2ab79d9438409fb3ba1736208519579dd91dc3ff022081e3eef",
            "path": "lib/integrate.js"
        },
        {
            "sha256": "21e0ace857aeeb5b4896e4cdfc6c66f0ce7f058a085f80b50928cf8647f2ae57",
            "tlsh": "df52956e38f33034056750b9abdf7405b226a413384ee8d436ac87157fed52a96f2acd",
            "path": "lib/autoIdentity.mjs"
        },
        {
            "sha256": "b25f814bb5b1b4132a92e40ca1abd2e2a819b0be9eaad39b6f194a71ada16f8c",
            "tlsh": "ab5294ad7df2203d0577616c240bf01a3b7ac543290dcd92b7ac87606fd96298af1acc",
            "path": "lib/track.mjs"
        }
    ],
    "package_integrity": [
        {
            "filename": "uac-package-1.4.5.tgz",
            "hashes": {
                "sha512_sri": "sha512-RWVOSP5ZJ7RGJEpNs4BPzM65WmWDuTlA7wTB9K0fWgiRDeGUTAOd4c6Kw7MWIXYHztoC4KNkN4WrwAykg20iGA==",
                "sha1": "b2e3f74febb5e561f043fe1318cd20f348674c1a"
            }
        }
    ]
}
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/uac-package/MAL-2026-10138.json"