npm

client-cookies-agent @99.9.6

Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 10:29 PM UTC

Malicious

OSV ID

MAL-2026-10019

Ecosystem

npm

Summary

package.json declares postinstall= node index.js , which runs automatically on npm install . index.js collects host identifiers via os.hostname(), os.userInfo(), and process.cwd(), resolves the external IPv4 address, and POSTs them as JSON to a hardcoded Interactsh-style out-of-band collector at lpzlajzjfkpfeefuzxbv6n5nob7bpuh6e.oast.fun/receive-data over plain HTTP. The package has empty description and author fields and is published at version 99.9.5, a shape consistent with a dependency-confusion squat against a private/internal package name: installing (or accidentally resolving) this name causes a reconnaissance beacon to fire from the developer or CI machine, confirming code execution on the target and leaking host, user, cwd, and network identifiers to the attacker.

Source: amazon-inspector (12870ae203f2612ab2bf9e796583acba17914cd4699909156f86c643fcf51f24)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.