MAL-2026-10138
Malicious code in uac-package (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (4d2c2d224834611b638d571689ba89e7ad9b15f59f68a01f403056d02c9278c9) On npm install, uac-package@1.4.7 runs postinstall.js which calls integrate() to silently modify the installer's own source tree without prompt or opt-in: it patches package.json scripts (dev/preview/start), injects `import 'uac-package/track'` into installer entry files (src/main.{js,ts,jsx,tsx}, src/index.{js,ts}), adds a Vite plugin to vite.config.*, and adds a Nuxt module entry to nuxt.config.*. Once wired in, the injected tracker (autoIdentity.mjs, track.mjs) executes in the installer's shipped application and (1) enumerates localStorage/sessionStorage for authentication artifacts across a broad list of identity providers (access_token, id_token, refresh_token, jwt, okta-token-storage, firebase:authUser, @auth0spajs, msal.account.keys, CognitoIdentityServiceProvider, supabase.auth.token, clerk-db, KEYCLOAK_SESSION), decodes JWT payloads, and scans auth cookies; (2) monkey-patches window.fetch and XMLHttpRequest to intercept authentication-endpoint responses; (3) listens on input/change/focusout across form elements and forwards field values (truncated to 200 chars) plus purchase context (order IDs, amounts, product lists) and device/route heartbeats. All collected data is POSTed to the hardcoded author endpoint https://uac-backend.clay.in/api/activities. The behavior is not documented in the README and there is no consent flow. Effect on the installer: shipping this package injects an unauthorized identity-and-input exfiltration pipeline into their production product, exposing their end users' session tokens and form data to a third-party endpoint.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for uac-package (npm). Pin to a known-safe version or switch to an alternative.