VDB
KO

MAL-2026-10019

Malicious code in client-cookies-agent (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (12870ae203f2612ab2bf9e796583acba17914cd4699909156f86c643fcf51f24) package.json declares postinstall=`node index.js`, which runs automatically on `npm install`. index.js collects host identifiers via os.hostname(), os.userInfo(), and process.cwd(), resolves the external IPv4 address, and POSTs them as JSON to a hardcoded Interactsh-style out-of-band collector at lpzlajzjfkpfeefuzxbv6n5nob7bpuh6e.oast.fun/receive-data over plain HTTP. The package has empty description and author fields and is published at version 99.9.5, a shape consistent with a dependency-confusion squat against a private/internal package name: installing (or accidentally resolving) this name causes a reconnaissance beacon to fire from the developer or CI machine, confirming code execution on the target and leaking host, user, cwd, and network identifiers to the attacker.

## Source: ossf-package-analysis (84540e9e44077c6ea24d8b8dc6093397f9ff6bcac74e53fe1dabfdd37d1a9b95) The OpenSSF Package Analysis project identified 'client-cookies-agent' @ 99.9.5 (npm) as malicious.

It is considered malicious because:

- The package communicates with a domain associated with malicious activity.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / client-cookies-agent

No fixed version published yet for client-cookies-agent (npm). Pin to a known-safe version or switch to an alternative.

References