ccl-component-resources @99.0.0
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2024-1959
Ecosystem
npm
Summary
ccl-component-resources@99.0.0 is a dependency-confusion package: name targets a likely-internal package, semver is set to 99.0.0 to win resolution against private registries, and index.js is an empty stub ( module.exports = {} ). package.json declares a preinstall lifecycle hook that runs node pingback.js . pingback.js reads os.hostname() and POSTs a JSON payload ( {hn,...package name, timestamp} ) to https://c.adityasec.com/hJWEvPPiaUrSeF-9_F8XSw on every npm install . Any installer whose private dependency resolution mistakenly pulls this public package will leak the host identifier of the affected dev or CI machine to an external server. The package self-describes as an 'authorized PoC,' but the beacon fires unconditionally for every installer regardless of authorization, and the destination is attacker-controlled from the installer's perspective.
Source: amazon-inspector (a3aab5a60bbc55422ada7e8937985342cfee30ddac8e35dab2c0d03eb3d12d23)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.