Supply-chain threat intelligence

Incident detail

criticalnpm·malware·osv

Malicious code in client-cookies-agent (npm)

client-cookies-agent

Risk score

92

AI summary

Indexed incident for client-cookies-agent (npm).

Description

package.json declares postinstall=node index.js, which runs automatically on npm install. index.js collects host identifiers via os.hostname(), os.userInfo(), and process.cwd(), resolves the external IPv4 address, and POSTs them as JSON to a hardcoded Interactsh-style out-of-band collector at lpzlajzjfkpfeefuzxbv6n5nob7bpuh6e.oast.fun/receive-data over plain HTTP. The package has empty description and author fields and is published at version 99.9.5, a shape consistent with a dependency-confusion squat against a private/internal package name: installing (or accidentally resolving) this name causes a reconnaissance beacon to fire from the developer or CI machine, confirming code execution on the target and leaking host, user, cwd, and network identifiers to the attacker.

The OpenSSF Package Analysis project identified 'client-cookies-agent' @ 99.9.5 (npm) as malicious.

It is considered malicious because:

  • The package communicates with a domain associated with malicious activity.

Technical details

Affected versions

=99.9.5=99.9.6=99.9.7

Indicators

  • affected version=99.9.575%
  • affected version=99.9.675%
  • affected version=99.9.775%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents