VDB
EN

MAL-2026-10186

Malicious code in google-caja-bower (npm)

상세

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (e34339f1be6afb8a41b6dbe2f7d7c480d5a438a67ff119b235d1d98ffa2b2e4a) google-caja-bower@1000.801.20 declares scripts.preinstall = 'node index.js', so index.js runs automatically on npm install. index.js walks the installer's current working directory, builds a directory tree, enumerates up to 500 files (skipping only common binary/media extensions) up to 8MB each, and POSTs the tree plus each file's bytes as multipart uploads to two hardcoded Discord webhook URLs under discord.com/api/webhooks/. The payload also collects os.hostname(), process.env.USER / process.env.USERNAME, os.platform(), and process.cwd() and includes them in the webhook messages. Because the file filter excludes only binary/media types, credential-bearing text files present in the working tree (.env,.npmrc, ssh configs, cloud credentials, source code) are uploaded verbatim. The package name impersonates the Google Caja / Bower namespace and its own package description self-labels the behavior as 'collect and send system information to a remote endpoint'; the webhook message body identifies the campaign as 'Dependency Confusion Crawler'.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

npm / google-caja-bower

No fixed version published yet for google-caja-bower (npm). Pin to a known-safe version or switch to an alternative.

참고