{"id":"MAL-2026-6530","summary":"Malicious code in xrblocks-remote-control (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (6e20199ccf4c5557bf9d6bd0f17f0f74b47aa54389f22247523fb9145ef29def)\nPackage `xrblocks-remote-control` ships a `bin` script that, when invoked (including via `npx` or unintended resolution against the `xrblocks` name), POSTs the basename of `process.env.INIT_CWD` (the installer's project directory name) plus a timestamp to a hardcoded external callback at `https://deepbounty.dd06-dev.fr/cb/46b252ec-a089-4f22-8b5e-5cee945106dc`. The package provides no advertised functionality — `package.json` self-describes as a 'Security PoC for Bug Bounty' and no `main` module is shipped; the bin's sole effect is the outbound beacon. The package name targets Google's `xrblocks` namespace as a dependency-confusion / typosquat probe. Regardless of whether the operator is a bug-bounty researcher, installers and build systems that resolve this package have a project identifier transmitted to a third-party host without consent.\n","modified":"2026-06-26T17:46:36.705736347Z","published":"2026-06-26T16:56:03Z","database_specific":{"malicious-packages-origins":[{"source":"amazon-inspector","modified_time":"2026-06-26T16:56:03Z","import_time":"2026-06-26T17:38:00.233993426Z","id":"IN-MAL-2026-007642","versions":["22.0.0"],"sha256":"6e20199ccf4c5557bf9d6bd0f17f0f74b47aa54389f22247523fb9145ef29def"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/xrblocks-remote-control/v/22.0.0"}],"affected":[{"package":{"name":"xrblocks-remote-control","ecosystem":"npm","purl":"pkg:npm/xrblocks-remote-control"},"versions":["22.0.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/xrblocks-remote-control/MAL-2026-6530.json","indicators":{"evidence_files":[{"path":"bin/run.js","tlsh":"5e2162815ad25b3422ea1bc0999b9c0b7327a10b3e41e598b95c018c2fc813c9573bce","sha256":"0a4ce8942c7c75aac05e10711b0851a73d1748922f3900c9477bd069c31d1e48"},{"path":"package.json","tlsh":"36d0220f043b2af32ec58dec2c3eb284402c526838618b8d4c043420c8ddbf5b13b74a","sha256":"f623b0aa55181fc464fd3f13b50b55499c134522dc78c660125ac1c340380429"}],"package_integrity":[{"filename":"xrblocks-remote-control-22.0.0.tgz","hashes":{"sha1":"7863ad2b7b0ce69d66f8b08902c2ae8f9e1a667b","sha512_sri":"sha512-GQS/l4rCKAYO2hzRxT3ycqwtoQ/KHS+oGDhb6gs6yAl1Extkh9PW7phBGVMa+qBzyZY4JsRxnNsz57ObpxY5yA=="}}]},"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}