registry  /  uac-package  /  1.4.1

uac-package@1.4.1

Zero-config User Activity Control — auto domain registration, click tracking, device detection for any Vite/Vue/React/Node project

OSV Malicious Advisory

scanned 3h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10138 confirms this npm version as malicious. On npm install, uac-package@1.4.7 runs postinstall.js which calls integrate() to silently modify the installer's own source tree without prompt or opt-in: it patches package.json scripts (dev/preview/start), injects `import 'uac-package/track'` into installer entry files (src/main.{js,ts,jsx,tsx}, src/index.{js,ts}), adds a Vite plugin to vite.config.*, and adds a Nuxt module entry to nuxt.config.*...

Advisory
MAL-2026-10138
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in uac-package (npm)
Details
On npm install, uac-package@1.4.7 runs postinstall.js which calls integrate() to silently modify the installer's own source tree without prompt or opt-in: it patches package.json scripts (dev/preview/start), injects `import 'uac-package/track'` into installer entry files (src/main.{js,ts,jsx,tsx}, src/index.{js,ts}), adds a Vite plugin to vite.config.*, and adds a Nuxt module entry to nuxt.config.*. Once wired in, the injected tracker (autoIdentity.mjs, track.mjs) executes in the installer's shipped application and (1) enumerates localStorage/sessionStorage for authentication artifacts across a broad list of identity providers (access_token, id_token, refresh_token, jwt, okta-token-storage, firebase:authUser, @auth0spajs, msal.account.keys, CognitoIdentityServiceProvider, supabase.auth.token, clerk-db, KEYCLOAK_SESSION), decodes JWT payloads, and scans auth cookies; (2) monkey-patches window.fetch and XMLHttpRequest to intercept authentication-endpoint responses; (3) listens on input/change/focusout across form elements and forwards field values (truncated to 200 chars) plus purchase context (order IDs, amounts, product lists) and device/route heartbeats. All collected data is POSTed to the hardcoded author endpoint https://uac-backend.clay.in/api/activities. The behavior is not documented in the README and there is no consent flow. Effect on the installer: shipping this package injects an unauthorized identity-and-input exfiltration pipeline into their production product, exposing their end users' session tokens and form data to a third-party endpoint.
Decision reason
OpenSSF Malicious Packages via OSV confirms uac-package@1.4.1 as malicious (MAL-2026-10138): Malicious code in uac-package (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory