cktool-core @1.0.2
Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC
OSV ID
MAL-2026-10457
Ecosystem
npm
Summary
cktool-core is the unscoped public-registry form of the private-scoped @apple/cktool.core package. Installers whose resolver misroutes the scoped name to the public npm registry receive this package instead of Apple's internal library. On install, postinstall.js generates and persists a per-installer UUID under XDG_CACHE_HOME (or ~/.cache) and POSTs it, along with version and timestamp fields, to a hardcoded external endpoint at npx-monitor-76056.azurewebsites.net/api/pingback. The behavior fires unconditionally via the declared postinstall lifecycle hook, so any misresolution results in attacker-controlled JavaScript executing on the installer's machine and an install beacon leaving to a non-vendor destination. The package.json description self-labels this as a dependency-confusion PoC, but the mechanism and installer impact are identical to a real dependency-confusion attack against Apple's private namespace.
Source: amazon-inspector (18ee2228fd4f97fcc261019bf662b6e3006a5aed7a6f3bc0ec4fa505a84aa037)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.