Skip to content

Add OSV reports for click2ai dependency-confusion campaign (npm, 17 packages)#1348

Merged
elitsa-gosst merged 3 commits into
ossf:mainfrom
KunalSin9h:report-click2ai-dependency-confusion
Jul 13, 2026
Merged

Add OSV reports for click2ai dependency-confusion campaign (npm, 17 packages)#1348
elitsa-gosst merged 3 commits into
ossf:mainfrom
KunalSin9h:report-click2ai-dependency-confusion

Conversation

@KunalSin9h

@KunalSin9h KunalSin9h commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Summary

Reports 17 malicious npm packages published by npm user click2ai (maintainer email privatek3m@protonmail.com). The packages form a dependency-confusion / reconnaissance campaign: each uses a brand-lookalike name impersonating an organization's internal/private package namespace so a misconfigured resolver installs the public lookalike.

Update: Added 3 further packages from the same account (chat-adapter-zoom, salesforce-vscode-slds, slds-lsp-client) published in the days after the initial submission, per reviewer feedback. Same account, same install-time payload.

Behavior (identical across all 17)

Each package declares a preinstall hook:

"preinstall": "npm install @sentry/node && node examples/verify.js"

At install time, before any application code runs, the bundled examples/verify.jssrc/index.js:

  1. Initializes @sentry/node against a hardcoded, attacker-controlled Sentry DSN with sendDefaultPii: true.
  2. Resolves the host's public egress IP via Cloudflare /cdn-cgi/trace (spoofed desktop-browser User-Agent to bypass bot challenges).
  3. Deliberately triggers a runtime exception, captures it, and flushes the event — beaconing host telemetry (public IP + hostname, OS username, environment metadata) to the attacker's Sentry ingest endpoint o4510485815754752.ingest.us.sentry.io.

The install-time payload is byte-for-byte identical across all packages, differing only in package name and DSN. Each impersonated namespace beacons to a distinct Sentry project ID, letting the operator attribute installs to specific victim organizations — consistent with a dependency-confusion recon beacon, not legitimate error monitoring.

Packages (17)

Package Impersonated namespace Sentry project
@idms-corp/auth-ui @idms-corp 4511630867824640
@flex-ng/header-component @flex-ng 4511632071262208
@flex-ng/error-component @flex-ng 4511632071262208
@flex-ng/filter-pipe @flex-ng 4511632071262208
@logdna-web/styles @logdna-web 4511632708141056
@logdna-web/shared @logdna-web 4511632708141056
tme-xca tme-* 4511630928838656
tme-xca-react tme-* 4511630928838656
tme-error tme-* 4511621197856768
enbd-react-logger enbd-* 4511675212038149
enbd-react-error-boundry enbd-* 4511675212038149
enbd-react-lib enbd-* 4511675212038149
box-react-uix box-* 4511675212038149
sams-sr-sdk-h5 sams-* 4511664042999808
chat-adapter-zoom zoom-* (Zoom) 4511709729914880
salesforce-vscode-slds slds-* (Salesforce SLDS) 4511716882972672
slds-lsp-client slds-* (Salesforce SLDS) 4511716882972672

…ackages)

npm user 'click2ai' (privatek3m@protonmail.com) published 14 brand-lookalike
packages across multiple internal/private namespaces (@logdna-web, @flex-ng,
@idms-corp, enbd-*, tme-*, box-*, sams-*). Each carries an identical preinstall
beacon that runs at install time: it resolves the host's public IP via
Cloudflare /cdn-cgi/trace and exfiltrates host PII to a hardcoded attacker
Sentry DSN, with a distinct Sentry project ID per impersonated namespace.

Signed-off-by: Kunal Singh <kunalsin9h@gmail.com>
@elitsa-gosst

Copy link
Copy Markdown
Collaborator

There are 3 more packages that have been added in the last 3 days: https://www.npmjs.com/~click2ai

Signed-off-by: Kunal Singh <kunalsin9h@gmail.com>
@KunalSin9h KunalSin9h changed the title Add OSV reports for click2ai dependency-confusion campaign (npm, 14 packages) Add OSV reports for click2ai dependency-confusion campaign (npm, 17 packages) Jul 13, 2026
@KunalSin9h

Copy link
Copy Markdown
Contributor Author

Thanks @elitsa-gosst! Good catch — I've added the 3 additional packages from the same click2ai account (published in the days after the initial submission):

  • chat-adapter-zoom (impersonates Zoom) → Sentry project 4511709729914880
  • salesforce-vscode-slds (impersonates Salesforce SLDS) → Sentry project 4511716882972672
  • slds-lsp-client (impersonates Salesforce SLDS) → Sentry project 4511716882972672

Each carries the same install-time payload as the other 14 (identical preinstall@sentry/node recon beacon), differing only in package name and DSN. The PR description and package table are updated to reflect all 17 packages. PTAL when you get a chance.

@elitsa-gosst

Copy link
Copy Markdown
Collaborator

Thanks for updating with the rest of the packages!

@elitsa-gosst elitsa-gosst merged commit ecf3ff8 into ossf:main Jul 13, 2026
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants