{"id":"MAL-2026-6392","summary":"Malicious code in cccmyssr3 (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (a15e77975be346fa9b834e50124784a6774b5385e47072ae80911f5eda92cabf)\nOn `npm install`, this package automatically runs postinstall.js, which executes `curl -X POST` with a body containing the installer's hostname (`$(hostname)`), current user (`$(whoami)`), and the first 10 environment variables base64-encoded (`$(env | head -10 | base64 -w 0)`), sending them over plain HTTP to http://r1x55270.requestrepo.com — a requestrepo.com subdomain used as an attacker data-collection endpoint. Environment variables on developer and CI machines routinely contain credentials, API tokens, and CI secrets, so this is a credential-theft payload. The package's `main` is a trivial one-line `formatDate` stub and its description is 'A harmless utility package' — a cover story unrelated to the lifecycle behavior.\n","modified":"2026-06-24T15:18:03.754705992Z","published":"2026-06-24T14:07:29Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-06-24T15:01:18.001023496Z","modified_time":"2026-06-24T14:07:29Z","sha256":"a15e77975be346fa9b834e50124784a6774b5385e47072ae80911f5eda92cabf","source":"amazon-inspector","versions":["1.0.0"],"id":"IN-MAL-2026-007438"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/cccmyssr3/v/1.0.0"}],"affected":[{"package":{"name":"cccmyssr3","ecosystem":"npm","purl":"pkg:npm/cccmyssr3"},"versions":["1.0.0"],"database_specific":{"indicators":{"package_integrity":[{"filename":"cccmyssr3-1.0.0.tgz","hashes":{"sha1":"b1908e73d82b29a92e2136ab0ea5262653df8c7f","sha512_sri":"sha512-F+rM27iRi9ZLUh9XprblY/sEpn0Ev6ln630RV0T8QM21EMqHQJMiu+vTSKawcCjKlaLzMvM2mIBZACj8Q1ZVNg=="}}],"evidence_files":[{"tlsh":"ecc080912b784a70f605e394fc708377711bb355b3501998d4480441264d1c71263fd5","path":"postinstall.js","sha256":"c4f1e052a1a02b1901bcac48397efd811d5d00ea148615d832b54a1f2428fc6f"},{"sha256":"c4cfce1f9ae07c12bb7c07367b84ea3f29581995d385b8c61d2efa4850ef2124","tlsh":"37d0a7244e21967334c05b5a1a13454675255d5b01147c1c1bdb580c53de37344ff319","path":"package.json"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/cccmyssr3/MAL-2026-6392.json","cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}