{"id":"MAL-2026-3667","summary":"Malicious code in 0ctf-chalweb (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (6d7a129ab6079febb92ceac3587af97653477bce8a65b8e85bfa5bcae0293b0d)\nThe package's entire content (xss.js) is a 2-line cookie-stealing payload that creates an Image element pointing to https://collaborator.gbrls.workers.dev/ with base64-encoded document.cookie appended. This is a textbook XSS cookie exfiltration primitive targeting an attacker-controlled Cloudflare Workers endpoint. Regardless of whether this was published as a CTF artifact, any consumer who installs and bundles this package into a web app will exfiltrate end-users' cookies. There is no legitimate use case for publishing a cookie-exfil snippet to the public npm registry.\n","modified":"2026-05-13T20:23:06.851561Z","published":"2026-05-12T07:42:10Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-05-13T20:10:51.64659689Z","versions":["1.0.0"],"source":"amazon-inspector","sha256":"6d7a129ab6079febb92ceac3587af97653477bce8a65b8e85bfa5bcae0293b0d","id":"IN-MAL-2026-002143","modified_time":"2026-05-12T19:03:07Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/0ctf-chalweb/v/1.0.0"}],"affected":[{"package":{"name":"0ctf-chalweb","ecosystem":"npm","purl":"pkg:npm/0ctf-chalweb"},"versions":["1.0.0"],"database_specific":{"indicators":{"domains":["collaborator.gbrls.workers.dev"],"urls":["https://collaborator.gbrls.workers.dev/"],"evidence_files":[{"path":"xss.js","sha256":"decdf14c9d0d7a053b21540e05b7942fbf60f9a8a52e643b072b88bf3a667756","tlsh":"45b0123208ab900e5061b300b4605399f4b914eb780121a8b29d7424308b5564700570"}],"package_integrity":[{"hashes":{"sha512_sri":"sha512-ACz+EB+WV8ZplIt3nj9pYKFQc6k/aq5tOlet20uPBE7Qonlx7NKwDLUWCKXloMy6lI1Y/LPuz85wlJZFZTqnLA==","sha1":"a34b8ff67ffc25f08f9a056a9763db1dd8bb4e44"},"filename":"0ctf-chalweb-1.0.0.tgz"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/0ctf-chalweb/MAL-2026-3667.json","cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}