npm · Malicious package advisory
Malwarecktool-core
MAL-2026-10457
Malicious code in cktool-core (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (18ee2228fd4f97fcc261019bf662b6e3006a5aed7a6f3bc0ec4fa505a84aa037) cktool-core is the unscoped public-registry form of the private-scoped @apple/cktool.core package. Installers whose resolver misroutes the scoped name to the public npm registry receive this package instead of Apple's internal library. On install, postinstall.js generates and persists a per-installer UUID under XDG_CACHE_HOME (or ~/.cache) and POSTs it, along with version and timestamp fields, to a hardcoded external endpoint at npx-monitor-76056.azurewebsites.net/api/pingback. The behavior fires unconditionally via the declared postinstall lifecycle hook, so any misresolution results in attacker-controlled JavaScript executing on the installer's machine and an install beacon leaving to a non-vendor destination. The package.json description self-labels this as a dependency-confusion PoC, but the mechanism and installer impact are identical to a real dependency-confusion attack against Apple's private namespace.
Compromised versions (3)
- 1.0.0
- 1.0.2
- 1.0.1
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.