MAL-2026-10186
Malicious code in google-caja-bower (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (e34339f1be6afb8a41b6dbe2f7d7c480d5a438a67ff119b235d1d98ffa2b2e4a) google-caja-bower@1000.801.20 declares scripts.preinstall = 'node index.js', so index.js runs automatically on npm install. index.js walks the installer's current working directory, builds a directory tree, enumerates up to 500 files (skipping only common binary/media extensions) up to 8MB each, and POSTs the tree plus each file's bytes as multipart uploads to two hardcoded Discord webhook URLs under discord.com/api/webhooks/. The payload also collects os.hostname(), process.env.USER / process.env.USERNAME, os.platform(), and process.cwd() and includes them in the webhook messages. Because the file filter excludes only binary/media types, credential-bearing text files present in the working tree (.env,.npmrc, ssh configs, cloud credentials, source code) are uploaded verbatim. The package name impersonates the Google Caja / Bower namespace and its own package description self-labels the behavior as 'collect and send system information to a remote endpoint'; the webhook message body identifies the campaign as 'Dependency Confusion Crawler'.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for google-caja-bower (npm). Pin to a known-safe version or switch to an alternative.
References
- https://www.npmjs.com/package/google-caja-bower/v/1000.80.20 [PACKAGE]
- https://www.npmjs.com/package/google-caja-bower/v/20.20.20 [PACKAGE]
- https://www.npmjs.com/package/google-caja-bower/v/999.99.20 [PACKAGE]
- https://www.npmjs.com/package/google-caja-bower/v/999.999.20 [PACKAGE]
- https://www.npmjs.com/package/google-caja-bower/v/1000.800.20 [PACKAGE]
- https://www.npmjs.com/package/google-caja-bower/v/1000.801.20 [PACKAGE]
- https://www.npmjs.com/package/google-caja-bower/v/999.20.20 [PACKAGE]