{"id":"MAL-2026-10019","summary":"Malicious code in client-cookies-agent (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (12870ae203f2612ab2bf9e796583acba17914cd4699909156f86c643fcf51f24)\npackage.json declares postinstall=`node index.js`, which runs automatically on `npm install`. index.js collects host identifiers via os.hostname(), os.userInfo(), and process.cwd(), resolves the external IPv4 address, and POSTs them as JSON to a hardcoded Interactsh-style out-of-band collector at lpzlajzjfkpfeefuzxbv6n5nob7bpuh6e.oast.fun/receive-data over plain HTTP. The package has empty description and author fields and is published at version 99.9.5, a shape consistent with a dependency-confusion squat against a private/internal package name: installing (or accidentally resolving) this name causes a reconnaissance beacon to fire from the developer or CI machine, confirming code execution on the target and leaking host, user, cwd, and network identifiers to the attacker.\n\n## Source: ossf-package-analysis (84540e9e44077c6ea24d8b8dc6093397f9ff6bcac74e53fe1dabfdd37d1a9b95)\nThe OpenSSF Package Analysis project identified 'client-cookies-agent' @ 99.9.5 (npm) as malicious.\n\nIt is considered malicious because:\n\n- The package communicates with a domain associated with malicious activity.\n","modified":"2026-07-09T17:31:58.919304571Z","published":"2026-07-09T12:25:53Z","database_specific":{"malicious-packages-origins":[{"source":"ossf-package-analysis","versions":["99.9.5"],"modified_time":"2026-07-09T12:25:53Z","import_time":"2026-07-09T13:32:38.189412003Z","sha256":"84540e9e44077c6ea24d8b8dc6093397f9ff6bcac74e53fe1dabfdd37d1a9b95"},{"source":"amazon-inspector","versions":["99.9.5"],"id":"IN-MAL-2026-009107","modified_time":"2026-07-09T15:29:20Z","import_time":"2026-07-09T16:20:41.37316939Z","sha256":"12870ae203f2612ab2bf9e796583acba17914cd4699909156f86c643fcf51f24"},{"source":"amazon-inspector","versions":["99.9.6"],"id":"IN-MAL-2026-009301","modified_time":"2026-07-09T16:34:08Z","import_time":"2026-07-09T17:19:20.794993812Z","sha256":"5436bbe20f2f46c187360960355983b715a1fec39173341d09f1fb6114012b9a"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/client-cookies-agent/v/99.9.5"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/client-cookies-agent/v/99.9.6"}],"affected":[{"package":{"name":"client-cookies-agent","ecosystem":"npm","purl":"pkg:npm/client-cookies-agent"},"versions":["99.9.5","99.9.6"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/client-cookies-agent/MAL-2026-10019.json","indicators":{"package_integrity":[{"hashes":{"sha512_sri":"sha512-LzIqGmlSVxxM/pVvGgUth827tQBp86NPR5Y/hBLNHiJvsAJ71IZHRWK5ixsI9xNeXqkm7nv8+/sziZZpIxwaAg==","sha1":"bd77224fc4f9970cf960b926dab0f716d2d70ecc"},"filename":"client-cookies-agent-99.9.5.tgz"}],"evidence_files":[{"sha256":"108ace563bb47f186a4326ee566478e9a521891ef5ba26d575262c3e9c05fcd0","path":"index.js","tlsh":"203153e5eaf6632106f604c570881413352ff210728adac0bafe43c47bc16f0ad32ae6"},{"sha256":"8a5f0802730424a53c2a7273f9aa90f4ea185b0630e43dbe1c8f29f262f4de51","path":"package.json","tlsh":"8ed0a7741d30593329c417a94967a40bb9718e1b0104780c6b93286cd7ee93348fe20e"}]},"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"},{"name":"OpenSSF: Package Analysis","contact":["https://github.com/ossf/package-analysis","https://openssf.slack.com/channels/package_analysis"],"type":"FINDER"}]}