registry  /  uac-package  /  1.4.6

uac-package@1.4.6

Zero-config User Activity Control — auto domain registration, click tracking, device detection for any Vite/Vue/React/Node project

OSV Malicious Advisory

scanned 3h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10138 confirms this npm version as malicious. On npm install, uac-package@1.4.7 runs postinstall.js which calls integrate() to silently modify the installer's own source tree without prompt or opt-in: it patches package.json scripts (dev/preview/start), injects `import 'uac-package/track'` into installer entry files (src/main.{js,ts,jsx,tsx}, src/index.{js,ts}), adds a Vite plugin to vite.config.*, and adds a Nuxt module entry to nuxt.config.*...

Advisory
MAL-2026-10138
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in uac-package (npm)
Details
On npm install, uac-package@1.4.7 runs postinstall.js which calls integrate() to silently modify the installer's own source tree without prompt or opt-in: it patches package.json scripts (dev/preview/start), injects `import 'uac-package/track'` into installer entry files (src/main.{js,ts,jsx,tsx}, src/index.{js,ts}), adds a Vite plugin to vite.config.*, and adds a Nuxt module entry to nuxt.config.*. Once wired in, the injected tracker (autoIdentity.mjs, track.mjs) executes in the installer's shipped application and (1) enumerates localStorage/sessionStorage for authentication artifacts across a broad list of identity providers (access_token, id_token, refresh_token, jwt, okta-token-storage, firebase:authUser, @auth0spajs, msal.account.keys, CognitoIdentityServiceProvider, supabase.auth.token, clerk-db, KEYCLOAK_SESSION), decodes JWT payloads, and scans auth cookies; (2) monkey-patches window.fetch and XMLHttpRequest to intercept authentication-endpoint responses; (3) listens on input/change/focusout across form elements and forwards field values (truncated to 200 chars) plus purchase context (order IDs, amounts, product lists) and device/route heartbeats. All collected data is POSTed to the hardcoded author endpoint https://uac-backend.clay.in/api/activities. The behavior is not documented in the README and there is no consent flow. Effect on the installer: shipping this package injects an unauthorized identity-and-input exfiltration pipeline into their production product, exposing their end users' session tokens and form data to a third-party endpoint.
Decision reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 34 file(s), 115 KB of source, external domains: github.com, uac-backend.clay.in

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
lib/track.mjsView file
52Manifest entrypoint (manifest.exports) carries capability families absent from dist/build output: environment+network L52: L53: if (typeof import.meta === 'undefined' || !import.meta.env) { L54: return undefined; ... L120: try { L121: const response = await fetch(`${getApiUrl()}/api/domains`, { L122: method: 'POST', L123: headers: { 'Content-Type': 'application/json' }, L124: body: JSON.stringify({ name: domain }), L125: keepalive: true, ... L135: if (import.meta.env?.DEV) { L136: const message = await response.text().catch(() => response.statusText); L137: console.warn(`[UAC] Domain register failed (${response.status}):`, message);
High
Entrypoint Build Divergence

Manifest entrypoint contains risky behavior absent from dist/build output.

lib/track.mjsView on unpkg · L52

Findings

2 High4 Medium6 Low
HighInstall Time Lifecycle Scriptspackage.json
HighEntrypoint Build Divergencelib/track.mjs
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings