-= Per source details. Do not edit below this line.=-
On npm install, this package automatically runs postinstall.js, which executes curl -X POST with a body containing the installer's hostname ($(hostname)), current user ($(whoami)), and the first 10 environment variables base64-encoded ($(env | head -10 | base64 -w 0)), sending them over plain HTTP to http://r1x55270.requestrepo.com — a requestrepo.com subdomain used as an attacker data-collection endpoint. Environment variables on developer and CI machines routinely contain credentials, API tokens, and CI secrets, so this is a credential-theft payload. The package's main is a trivial one-line formatDate stub and its description is 'A harmless utility package' — a cover story unrelated to the lifecycle behavior.
{
"malicious-packages-origins": [
{
"id": "IN-MAL-2026-007438",
"sha256": "a15e77975be346fa9b834e50124784a6774b5385e47072ae80911f5eda92cabf",
"import_time": "2026-06-24T15:01:18.001023496Z",
"modified_time": "2026-06-24T14:07:29Z",
"source": "amazon-inspector",
"versions": [
"1.0.0"
]
}
]
}[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
{
"package_integrity": [
{
"filename": "cccmyssr3-1.0.0.tgz",
"hashes": {
"sha1": "b1908e73d82b29a92e2136ab0ea5262653df8c7f",
"sha512_sri": "sha512-F+rM27iRi9ZLUh9XprblY/sEpn0Ev6ln630RV0T8QM21EMqHQJMiu+vTSKawcCjKlaLzMvM2mIBZACj8Q1ZVNg=="
}
}
],
"evidence_files": [
{
"tlsh": "ecc080912b784a70f605e394fc708377711bb355b3501998d4480441264d1c71263fd5",
"sha256": "c4f1e052a1a02b1901bcac48397efd811d5d00ea148615d832b54a1f2428fc6f",
"path": "postinstall.js"
},
{
"tlsh": "37d0a7244e21967334c05b5a1a13454675255d5b01147c1c1bdb580c53de37344ff319",
"sha256": "c4cfce1f9ae07c12bb7c07367b84ea3f29581995d385b8c61d2efa4850ef2124",
"path": "package.json"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/cccmyssr3/MAL-2026-6392.json"