Supply-chain threat intelligence

Incident detail

criticalnpm·dependency confusion·osv

Malicious code in google-caja-bower (npm)

google-caja-bower

Risk score

92

AI summary

Indexed incident for google-caja-bower (npm).

Description

google-caja-bower@1000.801.20 declares scripts.preinstall = 'node index.js', so index.js runs automatically on npm install. index.js walks the installer's current working directory, builds a directory tree, enumerates up to 500 files (skipping only common binary/media extensions) up to 8MB each, and POSTs the tree plus each file's bytes as multipart uploads to two hardcoded Discord webhook URLs under discord.com/api/webhooks/. The payload also collects os.hostname(), process.env.USER / process.env.USERNAME, os.platform(), and process.cwd() and includes them in the webhook messages. Because the file filter excludes only binary/media types, credential-bearing text files present in the working tree (.env,.npmrc, ssh configs, cloud credentials, source code) are uploaded verbatim. The package name impersonates the Google Caja / Bower namespace and its own package description self-labels the behavior as 'collect and send system information to a remote endpoint'; the webhook message body identifies the campaign as 'Dependency Confusion Crawler'.

Technical details

Affected versions

=1000.80.20=20.20.20=999.99.20=999.999.20=1000.800.20=1000.801.20=999.20.20

Indicators

  • affected version=1000.80.2075%
  • affected version=20.20.2075%
  • affected version=999.99.2075%
  • affected version=999.999.2075%
  • affected version=1000.800.2075%
  • affected version=1000.801.2075%
  • affected version=999.20.2075%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents