{"id":"MAL-2026-10006","summary":"Malicious code in testing-d3do (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (6c008bcf9a72a02f11c556396a39d6de999bfad0cfa389ddac01929d19bb34d8)\nOn npm install, this package's postinstall script collects host identifiers (os.hostname(), os.userInfo(), current working directory, and external IPv4 address) and POSTs them to a hardcoded subdomain under oast.fun (lpzlajzjfkpfeefuzxbv6n5nob7bpuh6e.oast.fun, path /receive-data). oast.fun is an Interactsh out-of-band collector commonly used for dependency-confusion reconnaissance. The package metadata is consistent with a dependency-confusion squat: name prefixed with 'testing-', version 99.9.9 (unrealistically high to win registry resolution against an internal package of the same short name), empty author/description/keywords. Installing this package causes the installer's machine identifiers and network address to be sent to a third-party collector controlled by whoever registered the OAST subdomain.\n\n## Source: ossf-package-analysis (cbb133c89692a67e9aff0a4777c486d480852fb223a5ac9b7c983ae94cdceef6)\nThe OpenSSF Package Analysis project identified 'testing-d3do' @ 99.9.9 (npm) as malicious.\n\nIt is considered malicious because:\n\n- The package communicates with a domain associated with malicious activity.\n","modified":"2026-07-09T16:32:02.440996716Z","published":"2026-07-09T11:20:48Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-07-09T12:03:06.798463805Z","source":"ossf-package-analysis","modified_time":"2026-07-09T11:20:48Z","versions":["99.9.9"],"sha256":"cbb133c89692a67e9aff0a4777c486d480852fb223a5ac9b7c983ae94cdceef6"},{"import_time":"2026-07-09T16:20:41.509942201Z","source":"amazon-inspector","modified_time":"2026-07-09T15:29:34Z","sha256":"6c008bcf9a72a02f11c556396a39d6de999bfad0cfa389ddac01929d19bb34d8","versions":["99.9.9"],"id":"IN-MAL-2026-009109"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/testing-d3do/v/99.9.9"}],"affected":[{"package":{"name":"testing-d3do","ecosystem":"npm","purl":"pkg:npm/testing-d3do"},"versions":["99.9.9"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/testing-d3do/MAL-2026-10006.json","indicators":{"evidence_files":[{"tlsh":"203153e5eaf6632106f604c570881413352ff210728adac0bafe43c47bc16f0ad32ae6","sha256":"108ace563bb47f186a4326ee566478e9a521891ef5ba26d575262c3e9c05fcd0","path":"index.js"},{"tlsh":"35d0a7345c21963328d85699096b650ab5a1cd1b0008784d27a3141892de93344fd30d","sha256":"7182bc48dc98896bc6edb61adc5964e1f31c752b9257324e28cc4218080ac7ec","path":"package.json"}],"package_integrity":[{"hashes":{"sha1":"ec6a19d2d989bb4e0de043d21776f65bf77925c6","sha512_sri":"sha512-xgoxzbTcTPpngzOXF4VK1bWy2Cc08B4S+SSJLSQ8OZXZLzEt/1sTOuXJP/33uku4RVAQVuGrwec4cDiQVWQx0g=="},"filename":"testing-d3do-99.9.9.tgz"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"},{"name":"OpenSSF: Package Analysis","contact":["https://github.com/ossf/package-analysis","https://openssf.slack.com/channels/package_analysis"],"type":"FINDER"}]}