npm · Malicious package advisory
Malwareclient-cookies-agent
MAL-2026-10019
Malicious code in client-cookies-agent (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (12870ae203f2612ab2bf9e796583acba17914cd4699909156f86c643fcf51f24) package.json declares postinstall=`node index.js`, which runs automatically on `npm install`. index.js collects host identifiers via os.hostname(), os.userInfo(), and process.cwd(), resolves the external IPv4 address, and POSTs them as JSON to a hardcoded Interactsh-style out-of-band collector at lpzlajzjfkpfeefuzxbv6n5nob7bpuh6e.oast.fun/receive-data over plain HTTP. The package has empty description and author fields and is published at version 99.9.5, a shape consistent with a dependency-confusion squat against a private/internal package name: installing (or accidentally resolving) this name causes a reconnaissance beacon to fire from the developer or CI machine, confirming code execution on the target and leaking host, user, cwd, and network identifiers to the attacker. ## Source: ossf-package-analysis (84540e9e44077c6ea24d8b8dc6093397f9ff6bcac74e53fe1dabfdd37d1a9b95) The OpenSSF Package Analysis project identified 'client-cookies-agent' @ 99.9.5 (npm) as malicious. It is considered malicious because: - The package communicates with a domain associated with malicious activity.
Compromised versions (3)
- 99.9.5
- 99.9.6
- 99.9.7
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.