Which versions of ccl-component-resources are malicious?

The following npm versions of ccl-component-resources are flagged malicious: 1.0.732, 99.0.0. Treat any of these as compromised.

How do I remediate ccl-component-resources if I installed it?

Remove ccl-component-resources from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is ccl-component-resources part of a known attack campaign?

Yes — ccl-component-resources is associated with the RLMA-2024-00555, RLUA-2024-06275, IN-MAL-2026-007064 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect ccl-component-resources in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking ccl-component-resources and packages like it before any post-install script runs.

Malicious package

ccl-component-resourcesnpm

Malicious code in ccl-component-resources (npm) Remove it immediately and rotate any exposed credentials.

MAL-2024-1959

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall ccl-component-resources

What this malware does

[email protected] is a dependency-confusion package: name targets a likely-internal package, semver is set to 99.0.0 to win resolution against private registries, and index.js is an empty stub (module.exports = {}). package.json declares a preinstall lifecycle hook that runs node pingback.js. pingback.js reads os.hostname() and POSTs a JSON payload ({hn,...package name, timestamp}) to https://c.adityasec.com/hJWEvPPiaUrSeF-9_F8XSw on every npm install. Any installer whose private dependency resolution mistakenly pulls this public package will leak the host identifier of the affected dev or CI machine to an external server. The package self-describes as an 'authorized PoC,' but the beacon fires unconditionally for every installer regardless of authorization, and the destination is attacker-controlled from the installer's perspective.

Malicious versions

2 flagged

1.0.73299.0.0

Indicators of compromise (SHA-256)

a6fb98ebaed0b2aee816f6a561ec56adb8d87fbbdecedc02e28aade5838a6f4e

cedee67680cb2246f9c18ff1976e9518d481a5f6bf1853e4a8d77822687e9a6c

a3aab5a60bbc55422ada7e8937985342cfee30ddac8e35dab2c0d03eb3d12d23

Frequently asked questions

No. ccl-component-resources on npm has been identified as a malicious package (versions 1.0.732, 99.0.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

RLMA-2024-00555RLUA-2024-06275IN-MAL-2026-007064

References

npmjs.com

Credits

Amazon Inspector · finder
ReversingLabs · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection