MAL-2026-10138: Malicious code in uac-package (npm)
The uac-package npm package versions 1.4.1, 1.4.3, 1.4.5, 1.4.6, and 1.4.7 contain malicious code that silently modifies the installer's source code during installation. It injects tracking code that exfiltrates authentication tokens, cookies, form input data, and purchase context to a hardcoded external endpoint without user consent or documentation. This unauthorized data collection compromises user session security and privacy.
AI Analysis
Technical Summary
The uac-package versions 1.4.1, 1.4.3, 1.4.5, 1.4.6, and 1.4.7 execute a postinstall script that modifies the installer's source tree by patching package.json scripts, injecting imports, and adding plugins/modules to build configurations. The injected tracker code enumerates localStorage and sessionStorage for authentication tokens from many identity providers, decodes JWT payloads, scans authentication cookies, monkey-patches network request methods to intercept authentication responses, and listens to form input events to capture user data and purchase details. All collected data is sent to a hardcoded third-party URL without any consent mechanism, effectively creating a covert identity and input data exfiltration channel embedded in the final application.
Potential Impact
This malicious behavior exposes sensitive authentication tokens, session cookies, and user input data from the affected applications to an unauthorized external endpoint. This can lead to user account compromise, session hijacking, and leakage of sensitive personal and transactional information. The compromise occurs silently during installation and persists in the shipped application, impacting end users' security and privacy.
Mitigation Recommendations
No official patch or remediation is currently documented. Users should avoid using the affected versions of uac-package (1.4.1, 1.4.3, 1.4.5, 1.4.6, 1.4.7). Review and remove this package from your projects and replace it with trusted alternatives. Monitor your applications for unauthorized code modifications and network traffic to unknown endpoints. Patch status is not yet confirmed — check the vendor advisory or npm security advisories for updates.
MAL-2026-10138: Malicious code in uac-package (npm)
Description
The uac-package npm package versions 1.4.1, 1.4.3, 1.4.5, 1.4.6, and 1.4.7 contain malicious code that silently modifies the installer's source code during installation. It injects tracking code that exfiltrates authentication tokens, cookies, form input data, and purchase context to a hardcoded external endpoint without user consent or documentation. This unauthorized data collection compromises user session security and privacy.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The uac-package versions 1.4.1, 1.4.3, 1.4.5, 1.4.6, and 1.4.7 execute a postinstall script that modifies the installer's source tree by patching package.json scripts, injecting imports, and adding plugins/modules to build configurations. The injected tracker code enumerates localStorage and sessionStorage for authentication tokens from many identity providers, decodes JWT payloads, scans authentication cookies, monkey-patches network request methods to intercept authentication responses, and listens to form input events to capture user data and purchase details. All collected data is sent to a hardcoded third-party URL without any consent mechanism, effectively creating a covert identity and input data exfiltration channel embedded in the final application.
Potential Impact
This malicious behavior exposes sensitive authentication tokens, session cookies, and user input data from the affected applications to an unauthorized external endpoint. This can lead to user account compromise, session hijacking, and leakage of sensitive personal and transactional information. The compromise occurs silently during installation and persists in the shipped application, impacting end users' security and privacy.
Mitigation Recommendations
No official patch or remediation is currently documented. Users should avoid using the affected versions of uac-package (1.4.1, 1.4.3, 1.4.5, 1.4.6, 1.4.7). Review and remove this package from your projects and replace it with trusted alternatives. Monitor your applications for unauthorized code modifications and network traffic to unknown endpoints. Patch status is not yet confirmed — check the vendor advisory or npm security advisories for updates.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- MAL-2026-10138
- Osv Schema Version
- 1.7.4
- Aliases
- []
- Ecosystems
- ["npm"]
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a520edf68715ace439174c8
Added to database: 07/11/2026, 09:37:35 UTC
Last enriched: 07/11/2026, 10:05:08 UTC
Last updated: 07/12/2026, 03:33:50 UTC
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.