MAL-2026-3669

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/100jsss/MAL-2026-3669.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-3669
Published
2026-05-12T07:43:31Z
Modified
2026-05-13T20:23:26.191824Z
Summary
Malicious code in 100jsss (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (207a07d918d9b3ddfdf0f845ec22f6bab19629fa77968d3b41409d0b62bad441)

The main entry g.js constructs an image beacon whose src is a base64-decoded attacker URL (https://w.g32.com/g?k=) concatenated with btoa(document.location.href + '*' + document.cookie), exfiltrating the current URL and cookies cross-origin. The destination host is deliberately hidden behind atob() to evade string-based scanning. The package has placeholder metadata, no real functionality, and a trivial README, consistent with a malicious PoC/throwaway upload rather than a legitimate library. Obfuscation + exfiltration + credential-theft target (document.cookie) is an unambiguous malicious combination.

Database specific 
{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-05-12T19:03:07Z",
            "versions": [
                "1.0.0"
            ],
            "sha256": "207a07d918d9b3ddfdf0f845ec22f6bab19629fa77968d3b41409d0b62bad441",
            "id": "IN-MAL-2026-002325",
            "source": "amazon-inspector",
            "import_time": "2026-05-13T20:10:55.781687177Z"
        }
    ]
}
References
Credits

Affected packages

npm / 100jsss

Package

Name
100jsss
View open source insights on deps.dev
Purl
pkg:npm/100jsss

Affected ranges

Affected versions

1.*
1.0.0

Database specific

indicators 
{
    "domains": [
        "w.g32.com"
    ],
    "evidence_files": [
        {
            "sha256": "3e8bd92ebf7824a05599f7fdeb4b84c94883ac95c3e50a9032beb7064fa1156a",
            "tlsh": "d8b02b743008441c18c00011b830a3c87cb3182d34232410c20cec6c6516f010470b34",
            "path": "g.js"
        }
    ],
    "urls": [
        "https://w.g32.com/g?k="
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-XdJRZtNjPON/3MLd3bRgtAwBrKY7HMwatMgU3CiVLR/4RoYw4qHUCddqOPu3y99IVs8e8HKC+JYoFquylpiiwg==",
                "sha1": "bb4b608c05b87dbd25ec0525b833938a43a260f0"
            },
            "filename": "100jsss-1.0.0.tgz"
        }
    ]
}
cwes 
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]
source 
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/100jsss/MAL-2026-3669.json"