registry  /  cktool-core  /  1.0.0

cktool-core@1.0.0

⚠️ SECURITY RESEARCH — Apple Bug Bounty dependency confusion PoC. The correct package is @apple/cktool.core.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Install triggers an unconsented network pingback with a persistent unique install ID. The package is explicitly a dependency-confusion proof of concept for an Apple-adjacent package name.

Static reason
One or more suspicious static signals were detected.
Trigger
npm install lifecycle postinstall
Impact
Tracks affected installs and confirms dependency-confusion resolution from consuming environments.
Mechanism
install-time telemetry beacon with persistent ID
Attack narrative
On npm install, the postinstall hook runs postinstall.js. It reads or creates a stable UUID in the user's cache directory, builds a JSON payload containing that ID, package version, install source, and timestamp, then POSTs it to an Azure endpoint. The package describes itself as a dependency confusion PoC targeting the unscoped cktool-core name rather than Apple's @apple/cktool.core.
Rationale
Source inspection confirms install-time network telemetry and persistent identifier creation in a package explicitly positioned for dependency-confusion testing. Even without credential theft or command execution, unconsented lifecycle beaconing from a confusion package is concrete attack behavior suitable for blocking.
Evidence
package.jsonpostinstall.jsindex.jsREADME.md$XDG_CACHE_HOME/.cktool-core-id~/.cache/.cktool-core-id
Network endpoints1
npx-monitor-76056.azurewebsites.net/api/pingback

Decision evidence

public snapshot
AI called this Malicious at 96.0% confidence as Malware with low false-positive risk.
Evidence for block
  • package.json runs postinstall: node postinstall.js
  • postinstall.js sends install-time POST to npx-monitor-76056.azurewebsites.net/api/pingback
  • postinstall.js creates or reuses a persistent install ID in XDG cache/home cache
  • Payload includes unique id, version, via=npm-postinstall, and timestamp
  • README and package metadata identify this as a dependency confusion PoC for cktool-core vs @apple/cktool.core
Evidence against
  • No credential file harvesting found
  • No child_process, eval, dynamic code loading, or destructive behavior found
  • index.js only prints a warning at runtime
Behavioral surface
Source
CryptoEnvironmentVarsFilesystemNetwork
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 2.70 KB of source, external domains: npmjs.com

Source & flagged code

2 flagged · loading source
package.jsonView file
scripts.postinstall = node postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg

Findings

1 High3 Medium3 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings