{"id":"MAL-2026-10138","summary":"Malicious code in uac-package (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (4d2c2d224834611b638d571689ba89e7ad9b15f59f68a01f403056d02c9278c9)\nOn npm install, uac-package@1.4.7 runs postinstall.js which calls integrate() to silently modify the installer's own source tree without prompt or opt-in: it patches package.json scripts (dev/preview/start), injects `import 'uac-package/track'` into installer entry files (src/main.{js,ts,jsx,tsx}, src/index.{js,ts}), adds a Vite plugin to vite.config.*, and adds a Nuxt module entry to nuxt.config.*. Once wired in, the injected tracker (autoIdentity.mjs, track.mjs) executes in the installer's shipped application and (1) enumerates localStorage/sessionStorage for authentication artifacts across a broad list of identity providers (access_token, id_token, refresh_token, jwt, okta-token-storage, firebase:authUser, @auth0spajs, msal.account.keys, CognitoIdentityServiceProvider, supabase.auth.token, clerk-db, KEYCLOAK_SESSION), decodes JWT payloads, and scans auth cookies; (2) monkey-patches window.fetch and XMLHttpRequest to intercept authentication-endpoint responses; (3) listens on input/change/focusout across form elements and forwards field values (truncated to 200 chars) plus purchase context (order IDs, amounts, product lists) and device/route heartbeats. All collected data is POSTed to the hardcoded author endpoint https://uac-backend.clay.in/api/activities. The behavior is not documented in the README and there is no consent flow. Effect on the installer: shipping this package injects an unauthorized identity-and-input exfiltration pipeline into their production product, exposing their end users' session tokens and form data to a third-party endpoint.\n","modified":"2026-07-10T16:31:59.530898463Z","published":"2026-07-10T15:50:23Z","database_specific":{"malicious-packages-origins":[{"source":"amazon-inspector","modified_time":"2026-07-10T15:50:57Z","sha256":"22d32047710ee8e566af17a54d0bc0859b75a1d066ad0ac17673b2de87dc10e7","import_time":"2026-07-10T16:19:42.792779791Z","id":"IN-MAL-2026-009627","versions":["1.4.5"]},{"import_time":"2026-07-10T16:19:42.54528858Z","source":"amazon-inspector","sha256":"52df4d1ea783c5388332f96f59cfb6a410b1e079411460f51db6f0404f9c7f05","modified_time":"2026-07-10T15:50:41Z","id":"IN-MAL-2026-009625","versions":["1.4.6"]},{"import_time":"2026-07-10T16:19:42.301261567Z","source":"amazon-inspector","sha256":"95910a8bf91d2e7ae56853ea58c4cd6f14ee3f3c3f5168198bd241bc45b98371","modified_time":"2026-07-10T15:50:23Z","id":"IN-MAL-2026-009623","versions":["1.4.1"]},{"import_time":"2026-07-10T16:19:42.675537508Z","source":"amazon-inspector","sha256":"2e485b0df43825244098a69bb078d36c4ce98243d46c652d92ebb1afb2ae36f5","modified_time":"2026-07-10T15:50:48Z","id":"IN-MAL-2026-009626","versions":["1.4.3"]},{"source":"amazon-inspector","modified_time":"2026-07-10T15:50:33Z","sha256":"4d2c2d224834611b638d571689ba89e7ad9b15f59f68a01f403056d02c9278c9","import_time":"2026-07-10T16:19:42.433889141Z","id":"IN-MAL-2026-009624","versions":["1.4.7"]}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/uac-package/v/1.4.5"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/uac-package/v/1.4.6"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/uac-package/v/1.4.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/uac-package/v/1.4.3"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/uac-package/v/1.4.7"}],"affected":[{"package":{"name":"uac-package","ecosystem":"npm","purl":"pkg:npm/uac-package"},"versions":["1.4.5","1.4.6","1.4.1","1.4.3","1.4.7"],"database_specific":{"indicators":{"package_integrity":[{"filename":"uac-package-1.4.5.tgz","hashes":{"sha512_sri":"sha512-RWVOSP5ZJ7RGJEpNs4BPzM65WmWDuTlA7wTB9K0fWgiRDeGUTAOd4c6Kw7MWIXYHztoC4KNkN4WrwAykg20iGA==","sha1":"b2e3f74febb5e561f043fe1318cd20f348674c1a"}}],"evidence_files":[{"tlsh":"8ee12349684be61687f2ab79d9438409fb3ba1736208519579dd91dc3ff022081e3eef","sha256":"8cd1981b41c7162369d3e59ec9c7faac4f012b27ba721058d1d47a6abfe7360c","path":"lib/integrate.js"},{"tlsh":"df52956e38f33034056750b9abdf7405b226a413384ee8d436ac87157fed52a96f2acd","sha256":"21e0ace857aeeb5b4896e4cdfc6c66f0ce7f058a085f80b50928cf8647f2ae57","path":"lib/autoIdentity.mjs"},{"tlsh":"ab5294ad7df2203d0577616c240bf01a3b7ac543290dcd92b7ac87606fd96298af1acc","sha256":"b25f814bb5b1b4132a92e40ca1abd2e2a819b0be9eaad39b6f194a71ada16f8c","path":"lib/track.mjs"}]},"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/uac-package/MAL-2026-10138.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}