VDB
KO

MAL-2026-10457

Malicious code in cktool-core (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (18ee2228fd4f97fcc261019bf662b6e3006a5aed7a6f3bc0ec4fa505a84aa037) cktool-core is the unscoped public-registry form of the private-scoped @apple/cktool.core package. Installers whose resolver misroutes the scoped name to the public npm registry receive this package instead of Apple's internal library. On install, postinstall.js generates and persists a per-installer UUID under XDG_CACHE_HOME (or ~/.cache) and POSTs it, along with version and timestamp fields, to a hardcoded external endpoint at npx-monitor-76056.azurewebsites.net/api/pingback. The behavior fires unconditionally via the declared postinstall lifecycle hook, so any misresolution results in attacker-controlled JavaScript executing on the installer's machine and an install beacon leaving to a non-vendor destination. The package.json description self-labels this as a dependency-confusion PoC, but the mechanism and installer impact are identical to a real dependency-confusion attack against Apple's private namespace.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / cktool-core

No fixed version published yet for cktool-core (npm). Pin to a known-safe version or switch to an alternative.

References