xrblocks-remote-control @22.0.0
Vulnerability report · Last retrieved from osv.dev June 26, 2026 at 9:50 PM UTC
OSV ID
MAL-2026-6530
Ecosystem
npm
Summary
Package xrblocks-remote-control ships a bin script that, when invoked (including via npx or unintended resolution against the xrblocks name), POSTs the basename of process.env.INIT_CWD (the installer's project directory name) plus a timestamp to a hardcoded external callback at https://deepbounty.dd06-dev.fr/cb/46b252ec-a089-4f22-8b5e-5cee945106dc . The package provides no advertised functionality — package.json self-describes as a 'Security PoC for Bug Bounty' and no main module is shipped; the bin's sole effect is the outbound beacon. The package name targets Google's xrblocks namespace as a dependency-confusion / typosquat probe. Regardless of whether the operator is a bug-bounty researcher, installers and build systems that resolve this package have a project identifier transmitted to a third-party host without consent.
Source: amazon-inspector (6e20199ccf4c5557bf9d6bd0f17f0f74b47aa54389f22247523fb9145ef29def)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.