Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

MAL-2026-10138: Malicious code in uac-package (npm)

0
Critical
Published: 07/10/2026 (07/10/2026, 15:50:23 UTC)
Source: GCVE Database
Product: uac-package

Description

The uac-package npm package versions 1.4.1, 1.4.3, 1.4.5, 1.4.6, and 1.4.7 contain malicious code that silently modifies the installer's source code during installation. It injects tracking code that exfiltrates authentication tokens, cookies, form input data, and purchase context to a hardcoded external endpoint without user consent or documentation. This unauthorized data collection compromises user session security and privacy.

Affected software

npmghsa
uac-package
Affected versions
=1.4.5=1.4.6=1.4.1=1.4.3=1.4.7

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/11/2026, 10:05:08 UTC

Technical Analysis

The uac-package versions 1.4.1, 1.4.3, 1.4.5, 1.4.6, and 1.4.7 execute a postinstall script that modifies the installer's source tree by patching package.json scripts, injecting imports, and adding plugins/modules to build configurations. The injected tracker code enumerates localStorage and sessionStorage for authentication tokens from many identity providers, decodes JWT payloads, scans authentication cookies, monkey-patches network request methods to intercept authentication responses, and listens to form input events to capture user data and purchase details. All collected data is sent to a hardcoded third-party URL without any consent mechanism, effectively creating a covert identity and input data exfiltration channel embedded in the final application.

Potential Impact

This malicious behavior exposes sensitive authentication tokens, session cookies, and user input data from the affected applications to an unauthorized external endpoint. This can lead to user account compromise, session hijacking, and leakage of sensitive personal and transactional information. The compromise occurs silently during installation and persists in the shipped application, impacting end users' security and privacy.

Mitigation Recommendations

No official patch or remediation is currently documented. Users should avoid using the affected versions of uac-package (1.4.1, 1.4.3, 1.4.5, 1.4.6, 1.4.7). Review and remove this package from your projects and replace it with trusted alternatives. Monitor your applications for unauthorized code modifications and network traffic to unknown endpoints. Patch status is not yet confirmed — check the vendor advisory or npm security advisories for updates.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Gcve Source
db.gcve.eu
Osv Id
MAL-2026-10138
Osv Schema Version
1.7.4
Aliases
[]
Ecosystems
["npm"]
Database Specific Severity
null
Cvss Version
null

Threat ID: 6a520edf68715ace439174c8

Added to database: 07/11/2026, 09:37:35 UTC

Last enriched: 07/11/2026, 10:05:08 UTC

Last updated: 07/12/2026, 03:33:50 UTC

Views: 5

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses