client-cookies-agent @99.9.6
Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 10:29 PM UTC
OSV ID
MAL-2026-10019
Ecosystem
npm
Summary
package.json declares postinstall= node index.js , which runs automatically on npm install . index.js collects host identifiers via os.hostname(), os.userInfo(), and process.cwd(), resolves the external IPv4 address, and POSTs them as JSON to a hardcoded Interactsh-style out-of-band collector at lpzlajzjfkpfeefuzxbv6n5nob7bpuh6e.oast.fun/receive-data over plain HTTP. The package has empty description and author fields and is published at version 99.9.5, a shape consistent with a dependency-confusion squat against a private/internal package name: installing (or accidentally resolving) this name causes a reconnaissance beacon to fire from the developer or CI machine, confirming code execution on the target and leaking host, user, cwd, and network identifiers to the attacker.
Source: amazon-inspector (12870ae203f2612ab2bf9e796583acba17914cd4699909156f86c643fcf51f24)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.