registry  /  cktool-core  /  1.0.2

cktool-core@1.0.2

⚠️ SECURITY RESEARCH — Apple Bug Bounty dependency confusion PoC. The correct package is @apple/cktool.core.

OSV Malicious Advisory

scanned 5h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10457 confirms this npm version as malicious. cktool-core is the unscoped public-registry form of the private-scoped @apple/cktool.core package. Installers whose resolver misroutes the scoped name to the public npm registry receive this package instead of Apple's internal library. On install, postinstall.js generates and persists a per-installer UUID under XDG_CACHE_HOME (or ~/.cache) and POSTs it, along with version and timestamp fields, to a hardcoded...

Advisory
MAL-2026-10457
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in cktool-core (npm)
Details
cktool-core is the unscoped public-registry form of the private-scoped @apple/cktool.core package. Installers whose resolver misroutes the scoped name to the public npm registry receive this package instead of Apple's internal library. On install, postinstall.js generates and persists a per-installer UUID under XDG_CACHE_HOME (or ~/.cache) and POSTs it, along with version and timestamp fields, to a hardcoded external endpoint at npx-monitor-76056.azurewebsites.net/api/pingback. The behavior fires unconditionally via the declared postinstall lifecycle hook, so any misresolution results in attacker-controlled JavaScript executing on the installer's machine and an install beacon leaving to a non-vendor destination. The package.json description self-labels this as a dependency-confusion PoC, but the mechanism and installer impact are identical to a real dependency-confusion attack against Apple's private namespace.
Decision reason
OpenSSF Malicious Packages via OSV confirms cktool-core@1.0.2 as malicious (MAL-2026-10457): Malicious code in cktool-core (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory