MAL-2024-1959

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ccl-component-resources/MAL-2024-1959.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2024-1959
Published
2024-06-25T12:32:40Z
Modified
2026-06-19T15:47:26.800650245Z
Summary
Malicious code in ccl-component-resources (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (a3aab5a60bbc55422ada7e8937985342cfee30ddac8e35dab2c0d03eb3d12d23)

ccl-component-resources@99.0.0 is a dependency-confusion package: name targets a likely-internal package, semver is set to 99.0.0 to win resolution against private registries, and index.js is an empty stub (module.exports = {}). package.json declares a preinstall lifecycle hook that runs node pingback.js. pingback.js reads os.hostname() and POSTs a JSON payload ({hn,...package name, timestamp}) to https://c.adityasec.com/hJWEvPPiaUrSeF-9_F8XSw on every npm install. Any installer whose private dependency resolution mistakenly pulls this public package will leak the host identifier of the affected dev or CI machine to an external server. The package self-describes as an 'authorized PoC,' but the beacon fires unconditionally for every installer regardless of authorization, and the destination is attacker-controlled from the installer's perspective.

Database specific 
{
    "malicious-packages-origins": [
        {
            "sha256": "a6fb98ebaed0b2aee816f6a561ec56adb8d87fbbdecedc02e28aade5838a6f4e",
            "source": "reversing-labs",
            "modified_time": "2024-06-25T12:32:40Z",
            "id": "RLMA-2024-00555",
            "versions": [
                "1.0.732"
            ],
            "import_time": "2024-06-28T02:42:19.808627508Z"
        },
        {
            "sha256": "cedee67680cb2246f9c18ff1976e9518d481a5f6bf1853e4a8d77822687e9a6c",
            "source": "reversing-labs",
            "modified_time": "2024-10-16T12:39:03Z",
            "id": "RLUA-2024-06275",
            "import_time": "2024-10-24T00:57:37.587113273Z"
        },
        {
            "sha256": "a3aab5a60bbc55422ada7e8937985342cfee30ddac8e35dab2c0d03eb3d12d23",
            "source": "amazon-inspector",
            "modified_time": "2026-06-19T14:09:09Z",
            "id": "IN-MAL-2026-007064",
            "versions": [
                "99.0.0"
            ],
            "import_time": "2026-06-19T15:41:54.628184404Z"
        }
    ]
}
References
Credits

Affected packages

npm / ccl-component-resources

Package

Name
ccl-component-resources
View open source insights on deps.dev
Purl
pkg:npm/ccl-component-resources

Affected ranges

Affected versions

1.*
1.0.732
99.*
99.0.0

Database specific

cwes 
[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]
source 
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ccl-component-resources/MAL-2024-1959.json"
indicators 
{
    "evidence_files": [
        {
            "sha256": "b627a80cb07bc70bb769357cfd1ffcdb4ffa8f365f63f38d07e38d87e390f5d8",
            "tlsh": "b7f054e1f3a1773407baeac4f0a19809c253c87cf64f6041424802346acedfe503308c",
            "path": "pingback.js"
        },
        {
            "sha256": "a4e9f6a5c1892960a8bc58fae8cca6c83e88ea6bba07b531b230bdf6b0dbf1e3",
            "tlsh": "e8d023751c00a5333dc945f7083651177074cf25a2a59e1d5543c154d09b7fec6b7dc8",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-y8yxLVEnxyQF70FMrfoWXveOKNx8snKmtPvZY9ZG8siVT1PxYNmuEiAj7t9k2vD5g03nKkqT55Ipo8DgeSXl0w==",
                "sha1": "90442c933726f4e50d737ec6814937941c764d31"
            },
            "filename": "ccl-component-resources-99.0.0.tgz"
        }
    ]
}