-= Per source details. Do not edit below this line.=-
package.json declares a preinstall lifecycle script that runs curl to POST installer reconnaissance data — hostname, current user (whoami), working directory, and uid/gid (id) — to a hardcoded webhook.site collector endpoint on every npm install. The package is published under an @checkrhq scope impersonating Checkr Inc. (author email uses checkr.com; description states 'This package is for testing only.') and ships no functional code, matching the canonical dependency-confusion beacon pattern targeting an organization's internal package namespace. Installing this package causes automatic outbound transmission of host and user identifiers to an anonymous third-party collector controlled by the publisher.
The OpenSSF Package Analysis project identified '@checkrhq/adjudication-api-client' @ 0.0.2 (npm) as malicious.
It is considered malicious because:
{
"malicious-packages-origins": [
{
"sha256": "dc8d5c39d401d053978bb8f17234bc79db730d15b55634319f239baf32dc9b0b",
"versions": [
"0.0.2"
],
"import_time": "2026-07-05T23:26:10.436945716Z",
"modified_time": "2026-07-02T20:51:05Z",
"source": "ossf-package-analysis"
},
{
"sha256": "8c52d9987ace09f0c48d8b0661bd1fcd3cf4e7e701b5e515810c7f32d99086cf",
"id": "IN-MAL-2026-009364",
"import_time": "2026-07-09T17:19:29.525560805Z",
"modified_time": "2026-07-09T17:01:32Z",
"versions": [
"0.0.2"
],
"source": "amazon-inspector"
}
]
}{
"evidence_files": [
{
"sha256": "a597b12e44707978fb72a4529ac01770e8a3561379e5527f6f09071588dbd0bf",
"tlsh": "7fe0c0602910a5337bd907a21824818fff74fd0fcf512c80e797916c0c892354ab710c",
"path": "package.json"
}
],
"package_integrity": [
{
"filename": "adjudication-api-client-0.0.2.tgz",
"hashes": {
"sha512_sri": "sha512-0MDn4mn+80uHXsDwFL4joTSX0d6vZFqmcQgP0XT5kIyux3iZgCXSUPMdjvFR5QJApU2BXy5qhzB9qYm5T2eZRA==",
"sha1": "31a4f8ebc66b500b47a7e2863c673c8b8d87c1c5"
}
}
]
}
[
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@checkrhq/adjudication-api-client/MAL-2026-6789.json"