MAL-2026-10186
Malicious code in google-caja-bower (npm)
상세
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (e34339f1be6afb8a41b6dbe2f7d7c480d5a438a67ff119b235d1d98ffa2b2e4a) google-caja-bower@1000.801.20 declares scripts.preinstall = 'node index.js', so index.js runs automatically on npm install. index.js walks the installer's current working directory, builds a directory tree, enumerates up to 500 files (skipping only common binary/media extensions) up to 8MB each, and POSTs the tree plus each file's bytes as multipart uploads to two hardcoded Discord webhook URLs under discord.com/api/webhooks/. The payload also collects os.hostname(), process.env.USER / process.env.USERNAME, os.platform(), and process.cwd() and includes them in the webhook messages. Because the file filter excludes only binary/media types, credential-bearing text files present in the working tree (.env,.npmrc, ssh configs, cloud credentials, source code) are uploaded verbatim. The package name impersonates the Google Caja / Bower namespace and its own package description self-labels the behavior as 'collect and send system information to a remote endpoint'; the webhook message body identifies the campaign as 'Dependency Confusion Crawler'.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
No fixed version published yet for google-caja-bower (npm). Pin to a known-safe version or switch to an alternative.
참고
- https://www.npmjs.com/package/google-caja-bower/v/1000.80.20 [PACKAGE]
- https://www.npmjs.com/package/google-caja-bower/v/20.20.20 [PACKAGE]
- https://www.npmjs.com/package/google-caja-bower/v/999.99.20 [PACKAGE]
- https://www.npmjs.com/package/google-caja-bower/v/999.999.20 [PACKAGE]
- https://www.npmjs.com/package/google-caja-bower/v/1000.800.20 [PACKAGE]
- https://www.npmjs.com/package/google-caja-bower/v/1000.801.20 [PACKAGE]
- https://www.npmjs.com/package/google-caja-bower/v/999.20.20 [PACKAGE]