OSV Malicious Advisory
scanned 4h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10019 confirms this npm version as malicious. package.json declares postinstall=`node index.js`, which runs automatically on `npm install`. index.js collects host identifiers via os.hostname(), os.userInfo(), and process.cwd(), resolves the external IPv4 address, and POSTs them as JSON to a hardcoded Interactsh-style out-of-band collector at lpzlajzjfkpfeefuzxbv6n5nob7bpuh6e.oast.fun/receive-data over plain HTTP...
Advisory
MAL-2026-10019
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in client-cookies-agent (npm)
Details
package.json declares postinstall=`node index.js`, which runs automatically on `npm install`. index.js collects host identifiers via os.hostname(), os.userInfo(), and process.cwd(), resolves the external IPv4 address, and POSTs them as JSON to a hardcoded Interactsh-style out-of-band collector at lpzlajzjfkpfeefuzxbv6n5nob7bpuh6e.oast.fun/receive-data over plain HTTP. The package has empty description and author fields and is published at version 99.9.5, a shape consistent with a dependency-confusion squat against a private/internal package name: installing (or accidentally resolving) this name causes a reconnaissance beacon to fire from the developer or CI machine, confirming code execution on the target and leaking host, user, cwd, and network identifiers to the attacker.
## Source: ossf-package-analysis (84540e9e44077c6ea24d8b8dc6093397f9ff6bcac74e53fe1dabfdd37d1a9b95) The OpenSSF Package Analysis project identified 'client-cookies-agent' @ 99.9.5 (npm) as malicious.
It is considered malicious because:
- The package communicates with a domain associated with malicious activity.
Decision reason
OpenSSF Malicious Packages via OSV confirms client-cookies-agent@99.9.6 as malicious (MAL-2026-10019): Malicious code in client-cookies-agent (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory