MAL-2026-6530

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (6e20199ccf4c5557bf9d6bd0f17f0f74b47aa54389f22247523fb9145ef29def) Package `xrblocks-remote-control` ships a `bin` script that, when invoked (including via `npx` or unintended resolution against the `xrblocks` name), POSTs the basename of `process.env.INIT_CWD` (the installer's project directory name) plus a timestamp to a hardcoded external callback at `https://deepbounty.dd06-dev.fr/cb/46b252ec-a089-4f22-8b5e-5cee945106dc`. The package provides no advertised functionality — `package.json` self-describes as a 'Security PoC for Bug Bounty' and no `main` module is shipped; the bin's sole effect is the outbound beacon. The package name targets Google's `xrblocks` namespace as a dependency-confusion / typosquat probe. Regardless of whether the operator is a bug-bounty researcher, installers and build systems that resolve this package have a project identifier transmitted to a third-party host without consent.