{"id":"MAL-2026-6498","summary":"Malicious code in dttfdsdee (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (ae565bed85ec0db27f1ff658c7e9491591ce40edc56f423cd8b1122bc209c69c)\npackage.json declares a postinstall script that runs automatically on npm install. The script walks the entire filesystem with find to locate database client binaries (mysql, mongo, mongosh, psql, redis-cli, sqlite3, elasticsearch), writes the results to /data/db_clients_check.txt, and then uses curl -X POST to send local file contents to an out-of-band callback at http://3dhd6wwmusbh04m22igmzvb4hvnmblza.oastify.com (oastify.com is the Burp Collaborator OOB interaction domain). The package presents itself as a generic string-utility helper with benign filler in index.js, but the advertised purpose is wholly inconsistent with the install-time behavior; metadata is hollow (empty author, empty repository, empty homepage) and the name is a random string — consistent with disposable reconnaissance bait. Installing the package on a developer or CI machine causes immediate filesystem reconnaissance and exfiltration to attacker-controlled infrastructure.\n\n## Source: ossf-package-analysis (bb785783c80ff1b3c13e9d6dc3b3c583d2eeb58f9f7f102d219a7448a71560b5)\nThe OpenSSF Package Analysis project identified 'dttfdsdee' @ 1.0.1 (npm) as malicious.\n\nIt is considered malicious because:\n\n- The package communicates with a domain associated with malicious activity.\n\n- The package executes one or more commands associated with malicious behavior.\n","modified":"2026-06-26T15:16:36.354757956Z","published":"2026-06-26T02:55:50Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-06-26T02:55:50Z","source":"ossf-package-analysis","versions":["1.0.1"],"sha256":"bb785783c80ff1b3c13e9d6dc3b3c583d2eeb58f9f7f102d219a7448a71560b5","import_time":"2026-06-26T03:14:41.558129129Z"},{"import_time":"2026-06-26T04:57:28.632993758Z","id":"IN-MAL-2026-007583","source":"amazon-inspector","sha256":"0d1f8ed5cffb20d316fd511cb9861c8e853b4060e35c7eea1f56128e37cb2da8","versions":["1.0.3"],"modified_time":"2026-06-26T04:04:16Z"},{"modified_time":"2026-06-26T04:04:19Z","id":"IN-MAL-2026-007584","versions":["1.0.4"],"sha256":"132e1119aa728006bf15cac94c7510d24a24a555aaca509a41b124af5a753415","source":"amazon-inspector","import_time":"2026-06-26T04:57:28.677581207Z"},{"import_time":"2026-06-26T04:57:28.872565339Z","id":"IN-MAL-2026-007587","source":"amazon-inspector","sha256":"18af68b366fd8bf07ba75a7040d05c62bb9559c7fbefc36c9684861ffa3126e6","versions":["1.0.1"],"modified_time":"2026-06-26T04:04:36Z"},{"import_time":"2026-06-26T04:57:28.821021271Z","id":"IN-MAL-2026-007586","versions":["1.0.0"],"sha256":"48b521e920d2c47f499f0ae3b9f096d2ec13047ced6262cb61c9dd89e1542f71","source":"amazon-inspector","modified_time":"2026-06-26T04:04:33Z"},{"import_time":"2026-06-26T04:57:28.772659572Z","id":"IN-MAL-2026-007585","versions":["1.0.2"],"sha256":"7f61e9b10455dc3781fcee5dfb2654ff824c2ac2e51dfaf7ebfba342f570f66c","source":"amazon-inspector","modified_time":"2026-06-26T04:04:32Z"},{"import_time":"2026-06-26T09:12:39.149055565Z","source":"ossf-package-analysis","versions":["1.0.5"],"sha256":"95062ddd9ab0c40dca1c09ae94fedc69c955f25dcbd1287013863bb037675a5b","modified_time":"2026-06-26T08:35:57Z"},{"import_time":"2026-06-26T14:59:21.140818054Z","id":"IN-MAL-2026-007603","versions":["1.0.6"],"sha256":"ae565bed85ec0db27f1ff658c7e9491591ce40edc56f423cd8b1122bc209c69c","modified_time":"2026-06-26T14:15:01Z","source":"amazon-inspector"},{"import_time":"2026-06-26T14:59:21.257815566Z","id":"IN-MAL-2026-007604","versions":["1.0.5"],"sha256":"b02aede5fb6dcbb786253c59de49b32bba5b700faefbdc2835b170440d846b09","source":"amazon-inspector","modified_time":"2026-06-26T14:15:02Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/dttfdsdee/v/1.0.3"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/dttfdsdee/v/1.0.4"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/dttfdsdee/v/1.0.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/dttfdsdee/v/1.0.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/dttfdsdee/v/1.0.2"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/dttfdsdee/v/1.0.6"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/dttfdsdee/v/1.0.5"}],"affected":[{"package":{"name":"dttfdsdee","ecosystem":"npm","purl":"pkg:npm/dttfdsdee"},"versions":["1.0.1","1.0.3","1.0.4","1.0.0","1.0.2","1.0.5","1.0.6"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/dttfdsdee/MAL-2026-6498.json","cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}],"indicators":{"package_integrity":[{"filename":"dttfdsdee-1.0.3.tgz","hashes":{"sha1":"87b5158fbbdb9da296ec758fc812fcb8c680abcc","sha512_sri":"sha512-2T5nxtWAmhNSlYES1O7yml2xcRzwrR2Uu/3iXF8n5jdkf+n6cvJUGLUM2ormrI71Nt4G3dYl0KHtm3JjCQZvqQ=="}}],"evidence_files":[{"path":"package.json","tlsh":"0f019718c2205c2315d81b20a89a1a42b1129e9709143c0977d3802c0fae6ab50fe62e","sha256":"9337982c9d32059bcc027658040a9405f542534d4026924bf6a54b398a8781a2"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"},{"name":"OpenSSF: Package Analysis","contact":["https://github.com/ossf/package-analysis","https://openssf.slack.com/channels/package_analysis"],"type":"FINDER"}]}