{"id":"MAL-2026-4264","summary":"Malicious code in dds-js-idl (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (c864bc6e21a3795faba4de876942dfffa4baed76c926d96d52c83c32d1f49f69)\nOn `npm install`, postinstall.js runs `whoami` via execSync and collects os.hostname(), os.platform(), cwd, and CI/GitHub env vars, then exfiltrates them over HTTPS GET to `lg5ys3jebfzwk366pilidbmah1nsbszh.oastify.com/nasa/dds-js-canary/` and additionally performs a DNS lookup of `${whoami}.lg5ys3jebfzwk366pilidbmah1nsbszh.oastify.com` as a DNS-channel fallback that defeats egress HTTPS filtering. The package self-describes as a `Security research canary — NASA VDP`, but it fires on every install without consent and leaks installer identity and repository/CI context to a third-party Interactsh (oastify.com) collector controlled by the canary operator. Regardless of stated research intent, the structural behavior is install-time host fingerprinting and out-of-band exfiltration.\n\n## Source: ossf-package-analysis (282ab4387de68701d586cdeb6635a576abea042584decbb31640112e9292e83a)\nThe OpenSSF Package Analysis project identified 'dds-js-idl' @ 1.0.0 (npm) as malicious.\n\nIt is considered malicious because:\n\n- The package executes one or more commands associated with malicious behavior.\n","modified":"2026-05-26T06:02:27.357700328Z","published":"2026-05-23T02:15:22Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-05-23T08:18:25.916919803Z","modified_time":"2026-05-23T02:20:25Z","versions":["1.0.0"],"source":"ossf-package-analysis","sha256":"282ab4387de68701d586cdeb6635a576abea042584decbb31640112e9292e83a"},{"modified_time":"2026-05-23T04:09:23Z","versions":["1.0.1"],"source":"amazon-inspector","sha256":"4b8ad096ffbd5b819ff05fa2e7240e8b64ab4f0c66bbcd5b3067e062d6bbbf29","import_time":"2026-05-26T05:52:18.375533917Z","id":"IN-MAL-2026-004286"},{"versions":["1.0.1"],"source":"amazon-inspector","sha256":"9762fd0560dfcdafa569313e27731335cf7544e6101c559dc6a41fda68b94ad8","import_time":"2026-05-26T05:52:18.276432293Z","id":"IN-MAL-2026-004285","modified_time":"2026-05-23T04:09:22Z"},{"id":"IN-MAL-2026-004280","modified_time":"2026-05-23T02:15:22Z","versions":["1.0.0"],"source":"amazon-inspector","sha256":"c864bc6e21a3795faba4de876942dfffa4baed76c926d96d52c83c32d1f49f69","import_time":"2026-05-26T05:52:17.652803731Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/dds-js-idl/v/1.0.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/dds-js-idl/v/1.0.0"}],"affected":[{"package":{"name":"dds-js-idl","ecosystem":"npm","purl":"pkg:npm/dds-js-idl"},"versions":["1.0.0","1.0.1"],"database_specific":{"indicators":{"evidence_files":[{"path":"postinstall.js","sha256":"3e6901d5a6d2ec5d28ce106522d900514ac4e9d83bdcb44ea75ab486dcda95d1","tlsh":"4a0120f023f0e6f058e20dc0e6159c177167e0103345b9e07dac82a96f89a7444b1cec"}],"package_integrity":[{"filename":"dds-js-idl-1.0.1.tgz","hashes":{"sha1":"2f6297431614f9af265ce9d3b1f096331a0d47d0","sha512_sri":"sha512-9Lou+pJx3eC/eEcvHviHWZ7JmeYm6hlnyg13Ujx8/4wxvKDUuUN8yApwUaHjknW4zoa72ECNHA8n68Ll+1cuAA=="}}],"domains":["scan.lg5ys3jebfzwk366pilidbmah1nsbszh.oastify.com","lg5ys3jebfzwk366pilidbmah1nsbszh.oastify.com"]},"cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/dds-js-idl/MAL-2026-4264.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"},{"name":"OpenSSF: Package Analysis","contact":["https://github.com/ossf/package-analysis","https://openssf.slack.com/channels/package_analysis"],"type":"FINDER"}]}