{"id":"MAL-2026-3669","summary":"Malicious code in 100jsss (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (207a07d918d9b3ddfdf0f845ec22f6bab19629fa77968d3b41409d0b62bad441)\nThe main entry g.js constructs an image beacon whose src is a base64-decoded attacker URL (https://w.g32.com/g?k=) concatenated with btoa(document.location.href + '*' + document.cookie), exfiltrating the current URL and cookies cross-origin. The destination host is deliberately hidden behind atob() to evade string-based scanning. The package has placeholder metadata, no real functionality, and a trivial README, consistent with a malicious PoC/throwaway upload rather than a legitimate library. Obfuscation + exfiltration + credential-theft target (document.cookie) is an unambiguous malicious combination.\n","modified":"2026-05-13T20:23:26.191824Z","published":"2026-05-12T07:43:31Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-05-13T20:10:55.781687177Z","id":"IN-MAL-2026-002325","versions":["1.0.0"],"modified_time":"2026-05-12T19:03:07Z","sha256":"207a07d918d9b3ddfdf0f845ec22f6bab19629fa77968d3b41409d0b62bad441","source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/100jsss/v/1.0.0"}],"affected":[{"package":{"name":"100jsss","ecosystem":"npm","purl":"pkg:npm/100jsss"},"versions":["1.0.0"],"database_specific":{"cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}],"indicators":{"evidence_files":[{"tlsh":"d8b02b743008441c18c00011b830a3c87cb3182d34232410c20cec6c6516f010470b34","path":"g.js","sha256":"3e8bd92ebf7824a05599f7fdeb4b84c94883ac95c3e50a9032beb7064fa1156a"}],"urls":["https://w.g32.com/g?k="],"domains":["w.g32.com"],"package_integrity":[{"hashes":{"sha1":"bb4b608c05b87dbd25ec0525b833938a43a260f0","sha512_sri":"sha512-XdJRZtNjPON/3MLd3bRgtAwBrKY7HMwatMgU3CiVLR/4RoYw4qHUCddqOPu3y99IVs8e8HKC+JYoFquylpiiwg=="},"filename":"100jsss-1.0.0.tgz"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/100jsss/MAL-2026-3669.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}