MAL-2026-6392

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/cccmyssr3/MAL-2026-6392.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-6392
Published
2026-06-24T14:07:29Z
Modified
2026-06-24T15:18:03.754705992Z
Summary
Malicious code in cccmyssr3 (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (a15e77975be346fa9b834e50124784a6774b5385e47072ae80911f5eda92cabf)

On npm install, this package automatically runs postinstall.js, which executes curl -X POST with a body containing the installer's hostname ($(hostname)), current user ($(whoami)), and the first 10 environment variables base64-encoded ($(env | head -10 | base64 -w 0)), sending them over plain HTTP to http://r1x55270.requestrepo.com — a requestrepo.com subdomain used as an attacker data-collection endpoint. Environment variables on developer and CI machines routinely contain credentials, API tokens, and CI secrets, so this is a credential-theft payload. The package's main is a trivial one-line formatDate stub and its description is 'A harmless utility package' — a cover story unrelated to the lifecycle behavior.

Database specific
{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-007438",
            "sha256": "a15e77975be346fa9b834e50124784a6774b5385e47072ae80911f5eda92cabf",
            "import_time": "2026-06-24T15:01:18.001023496Z",
            "modified_time": "2026-06-24T14:07:29Z",
            "source": "amazon-inspector",
            "versions": [
                "1.0.0"
            ]
        }
    ]
}
References
Credits

Affected packages

npm / cccmyssr3

Package

Affected ranges

Affected versions

1.*
1.0.0

Database specific

cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
indicators
{
    "package_integrity": [
        {
            "filename": "cccmyssr3-1.0.0.tgz",
            "hashes": {
                "sha1": "b1908e73d82b29a92e2136ab0ea5262653df8c7f",
                "sha512_sri": "sha512-F+rM27iRi9ZLUh9XprblY/sEpn0Ev6ln630RV0T8QM21EMqHQJMiu+vTSKawcCjKlaLzMvM2mIBZACj8Q1ZVNg=="
            }
        }
    ],
    "evidence_files": [
        {
            "tlsh": "ecc080912b784a70f605e394fc708377711bb355b3501998d4480441264d1c71263fd5",
            "sha256": "c4f1e052a1a02b1901bcac48397efd811d5d00ea148615d832b54a1f2428fc6f",
            "path": "postinstall.js"
        },
        {
            "tlsh": "37d0a7244e21967334c05b5a1a13454675255d5b01147c1c1bdb580c53de37344ff319",
            "sha256": "c4cfce1f9ae07c12bb7c07367b84ea3f29581995d385b8c61d2efa4850ef2124",
            "path": "package.json"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/cccmyssr3/MAL-2026-6392.json"