OSV Malicious Advisory
scanned 5h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10457 confirms this npm version as malicious. cktool-core is the unscoped public-registry form of the private-scoped @apple/cktool.core package. Installers whose resolver misroutes the scoped name to the public npm registry receive this package instead of Apple's internal library. On install, postinstall.js generates and persists a per-installer UUID under XDG_CACHE_HOME (or ~/.cache) and POSTs it, along with version and timestamp fields, to a hardcoded...
Advisory
MAL-2026-10457
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in cktool-core (npm)
Details
cktool-core is the unscoped public-registry form of the private-scoped @apple/cktool.core package. Installers whose resolver misroutes the scoped name to the public npm registry receive this package instead of Apple's internal library. On install, postinstall.js generates and persists a per-installer UUID under XDG_CACHE_HOME (or ~/.cache) and POSTs it, along with version and timestamp fields, to a hardcoded external endpoint at npx-monitor-76056.azurewebsites.net/api/pingback. The behavior fires unconditionally via the declared postinstall lifecycle hook, so any misresolution results in attacker-controlled JavaScript executing on the installer's machine and an install beacon leaving to a non-vendor destination. The package.json description self-labels this as a dependency-confusion PoC, but the mechanism and installer impact are identical to a real dependency-confusion attack against Apple's private namespace.
Decision reason
OpenSSF Malicious Packages via OSV confirms cktool-core@1.0.2 as malicious (MAL-2026-10457): Malicious code in cktool-core (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory