MAL-2026-6530: Malicious code in xrblocks-remote-control (npm)
The npm package 'xrblocks-remote-control' version 22.0.0 contains malicious code that sends the installer's project directory name and a timestamp to a hardcoded external URL. The package does not provide any legitimate functionality and appears to be a dependency confusion or typosquatting attempt targeting the 'xrblocks' namespace. This results in unauthorized data exfiltration during package installation or invocation.
AI Analysis
Technical Summary
The 'xrblocks-remote-control' npm package (version 22.0.0) includes a 'bin' script that, when executed (including via npx or unintended resolution), sends the basename of the environment variable 'INIT_CWD' (the installer's project directory) along with a timestamp to a remote callback URL at 'https://deepbounty.dd06-dev.fr/cb/46b252ec-a089-4f22-8b5e-5cee945106dc'. The package lacks any advertised functionality and is described as a 'Security PoC for Bug Bounty' in its package.json. This behavior constitutes unauthorized data transmission and is likely part of a dependency confusion or typosquatting attack vector targeting Google's 'xrblocks' namespace. No main module is shipped, and the only effect of the package is this outbound beacon.
Potential Impact
Installation or invocation of this package results in the unauthorized transmission of the installer's project directory name and a timestamp to an external third-party server without user consent. This can lead to information leakage about the project environment and potentially aid attackers in further targeting or reconnaissance. There is no indication of additional malicious payloads or code execution beyond this data exfiltration.
Mitigation Recommendations
No official patch or remediation is currently documented. Users and build systems should avoid installing or resolving the 'xrblocks-remote-control' package, especially version 22.0.0. Verify dependencies carefully to prevent dependency confusion or typosquatting attacks. Monitor package sources and lock dependencies to known good versions. Patch status is not yet confirmed — check the vendor advisory or trusted sources for current remediation guidance.
MAL-2026-6530: Malicious code in xrblocks-remote-control (npm)
Description
The npm package 'xrblocks-remote-control' version 22.0.0 contains malicious code that sends the installer's project directory name and a timestamp to a hardcoded external URL. The package does not provide any legitimate functionality and appears to be a dependency confusion or typosquatting attempt targeting the 'xrblocks' namespace. This results in unauthorized data exfiltration during package installation or invocation.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The 'xrblocks-remote-control' npm package (version 22.0.0) includes a 'bin' script that, when executed (including via npx or unintended resolution), sends the basename of the environment variable 'INIT_CWD' (the installer's project directory) along with a timestamp to a remote callback URL at 'https://deepbounty.dd06-dev.fr/cb/46b252ec-a089-4f22-8b5e-5cee945106dc'. The package lacks any advertised functionality and is described as a 'Security PoC for Bug Bounty' in its package.json. This behavior constitutes unauthorized data transmission and is likely part of a dependency confusion or typosquatting attack vector targeting Google's 'xrblocks' namespace. No main module is shipped, and the only effect of the package is this outbound beacon.
Potential Impact
Installation or invocation of this package results in the unauthorized transmission of the installer's project directory name and a timestamp to an external third-party server without user consent. This can lead to information leakage about the project environment and potentially aid attackers in further targeting or reconnaissance. There is no indication of additional malicious payloads or code execution beyond this data exfiltration.
Mitigation Recommendations
No official patch or remediation is currently documented. Users and build systems should avoid installing or resolving the 'xrblocks-remote-control' package, especially version 22.0.0. Verify dependencies carefully to prevent dependency confusion or typosquatting attacks. Monitor package sources and lock dependencies to known good versions. Patch status is not yet confirmed — check the vendor advisory or trusted sources for current remediation guidance.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- MAL-2026-6530
- Osv Schema Version
- 1.7.4
- Aliases
- []
- Ecosystems
- ["npm"]
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a3ef79427e9c79719ff8d7d
Added to database: 06/26/2026, 22:05:08 UTC
Last enriched: 06/26/2026, 22:19:04 UTC
Last updated: 06/27/2026, 03:37:39 UTC
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.