{"id":"MAL-2024-1959","summary":"Malicious code in ccl-component-resources (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (a3aab5a60bbc55422ada7e8937985342cfee30ddac8e35dab2c0d03eb3d12d23)\nccl-component-resources@99.0.0 is a dependency-confusion package: name targets a likely-internal package, semver is set to 99.0.0 to win resolution against private registries, and index.js is an empty stub (`module.exports = {}`). package.json declares a `preinstall` lifecycle hook that runs `node pingback.js`. pingback.js reads `os.hostname()` and POSTs a JSON payload (`{hn,...package name, timestamp}`) to https://c.adityasec.com/hJWEvPPiaUrSeF-9_F8XSw on every `npm install`. Any installer whose private dependency resolution mistakenly pulls this public package will leak the host identifier of the affected dev or CI machine to an external server. The package self-describes as an 'authorized PoC,' but the beacon fires unconditionally for every installer regardless of authorization, and the destination is attacker-controlled from the installer's perspective.\n","modified":"2026-06-19T15:47:26.800650245Z","published":"2024-06-25T12:32:40Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2024-06-25T12:32:40Z","import_time":"2024-06-28T02:42:19.808627508Z","id":"RLMA-2024-00555","sha256":"a6fb98ebaed0b2aee816f6a561ec56adb8d87fbbdecedc02e28aade5838a6f4e","versions":["1.0.732"],"source":"reversing-labs"},{"modified_time":"2024-10-16T12:39:03Z","import_time":"2024-10-24T00:57:37.587113273Z","id":"RLUA-2024-06275","sha256":"cedee67680cb2246f9c18ff1976e9518d481a5f6bf1853e4a8d77822687e9a6c","source":"reversing-labs"},{"modified_time":"2026-06-19T14:09:09Z","source":"amazon-inspector","id":"IN-MAL-2026-007064","versions":["99.0.0"],"sha256":"a3aab5a60bbc55422ada7e8937985342cfee30ddac8e35dab2c0d03eb3d12d23","import_time":"2026-06-19T15:41:54.628184404Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/ccl-component-resources/v/99.0.0"}],"affected":[{"package":{"name":"ccl-component-resources","ecosystem":"npm","purl":"pkg:npm/ccl-component-resources"},"versions":["1.0.732","99.0.0"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ccl-component-resources/MAL-2024-1959.json","indicators":{"package_integrity":[{"filename":"ccl-component-resources-99.0.0.tgz","hashes":{"sha512_sri":"sha512-y8yxLVEnxyQF70FMrfoWXveOKNx8snKmtPvZY9ZG8siVT1PxYNmuEiAj7t9k2vD5g03nKkqT55Ipo8DgeSXl0w==","sha1":"90442c933726f4e50d737ec6814937941c764d31"}}],"evidence_files":[{"tlsh":"b7f054e1f3a1773407baeac4f0a19809c253c87cf64f6041424802346acedfe503308c","path":"pingback.js","sha256":"b627a80cb07bc70bb769357cfd1ffcdb4ffa8f365f63f38d07e38d87e390f5d8"},{"tlsh":"e8d023751c00a5333dc945f7083651177074cf25a2a59e1d5543c154d09b7fec6b7dc8","path":"package.json","sha256":"a4e9f6a5c1892960a8bc58fae8cca6c83e88ea6bba07b531b230bdf6b0dbf1e3"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"},{"name":"ReversingLabs","contact":["https://www.reversinglabs.com"],"type":"FINDER"}]}