OSV Malicious Advisory
scanned 2h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10186 confirms this npm version as malicious. google-caja-bower@1000.801.20 declares scripts.preinstall = 'node index.js', so index.js runs automatically on npm install. index.js walks the installer's current working directory, builds a directory tree, enumerates up to 500 files (skipping only common binary/media extensions) up to 8MB each, and POSTs the tree plus each file's bytes as multipart uploads to two hardcoded Discord webhook URLs under...
Advisory
MAL-2026-10186
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in google-caja-bower (npm)
Details
google-caja-bower@1000.801.20 declares scripts.preinstall = 'node index.js', so index.js runs automatically on npm install. index.js walks the installer's current working directory, builds a directory tree, enumerates up to 500 files (skipping only common binary/media extensions) up to 8MB each, and POSTs the tree plus each file's bytes as multipart uploads to two hardcoded Discord webhook URLs under discord.com/api/webhooks/. The payload also collects os.hostname(), process.env.USER / process.env.USERNAME, os.platform(), and process.cwd() and includes them in the webhook messages. Because the file filter excludes only binary/media types, credential-bearing text files present in the working tree (.env,.npmrc, ssh configs, cloud credentials, source code) are uploaded verbatim. The package name impersonates the Google Caja / Bower namespace and its own package description self-labels the behavior as 'collect and send system information to a remote endpoint'; the webhook message body identifies the campaign as 'Dependency Confusion Crawler'.
Decision reason
OpenSSF Malicious Packages via OSV confirms google-caja-bower@1000.80.20 as malicious (MAL-2026-10186): Malicious code in google-caja-bower (npm)
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory