MAL-2026-3667

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/0ctf-chalweb/MAL-2026-3667.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-3667

Published

2026-05-12T07:42:10Z

Modified

2026-05-13T20:23:06.851561Z

Summary

Malicious code in 0ctf-chalweb (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (6d7a129ab6079febb92ceac3587af97653477bce8a65b8e85bfa5bcae0293b0d)

The package's entire content (xss.js) is a 2-line cookie-stealing payload that creates an Image element pointing to https://collaborator.gbrls.workers.dev/ with base64-encoded document.cookie appended. This is a textbook XSS cookie exfiltration primitive targeting an attacker-controlled Cloudflare Workers endpoint. Regardless of whether this was published as a CTF artifact, any consumer who installs and bundles this package into a web app will exfiltrate end-users' cookies. There is no legitimate use case for publishing a cookie-exfil snippet to the public npm registry.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-002143",
            "import_time": "2026-05-13T20:10:51.64659689Z",
            "sha256": "6d7a129ab6079febb92ceac3587af97653477bce8a65b8e85bfa5bcae0293b0d",
            "source": "amazon-inspector",
            "modified_time": "2026-05-12T19:03:07Z",
            "versions": [
                "1.0.0"
            ]
        }
    ]
}

References

https://www.npmjs.com/package/0ctf-chalweb/v/1.0.0

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / 0ctf-chalweb

Package

Name: 0ctf-chalweb; View open source insights on deps.dev
Purl: pkg:npm/0ctf-chalweb

Affected ranges

Affected versions

1.*

1.0.0

Database specific

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "path": "xss.js",
            "sha256": "decdf14c9d0d7a053b21540e05b7942fbf60f9a8a52e643b072b88bf3a667756",
            "tlsh": "45b0123208ab900e5061b300b4605399f4b914eb780121a8b29d7424308b5564700570"
        }
    ],
    "package_integrity": [
        {
            "filename": "0ctf-chalweb-1.0.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-ACz+EB+WV8ZplIt3nj9pYKFQc6k/aq5tOlet20uPBE7Qonlx7NKwDLUWCKXloMy6lI1Y/LPuz85wlJZFZTqnLA==",
                "sha1": "a34b8ff67ffc25f08f9a056a9763db1dd8bb4e44"
            }
        }
    ],
    "urls": [
        "https://collaborator.gbrls.workers.dev/"
    ],
    "domains": [
        "collaborator.gbrls.workers.dev"
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/0ctf-chalweb/MAL-2026-3667.json"