{"id":"MAL-2026-6513","summary":"Malicious code in dtxto1ols (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (926fc822a2a507fafa6d2e1bb02a9b2bada7d89d3042bd3f0cac0ba2fd7c1991)\npackage.json declares a postinstall script that runs automatically on `npm install`. The script performs filesystem reconnaissance (find / -type f scanning for database client binaries such as mysql and mongo, writing results to /data/db_clients_check.txt) and then POSTs the collected file contents over plaintext HTTP to a Burp Collaborator subdomain at 3dhd6wwmusbh04m22igmzvb4hvnmblza.oastify.com. The destination is an out-of-band attacker-controlled collaborator host with no relationship to the package's advertised string-utility purpose. The package name `dtxto1ols` also exhibits a digit-`1` for letter-`l` substitution typical of typosquatting, which corroborates malicious intent.\n\n## Source: ossf-package-analysis (b455011eb9c4e379922356173e11dec7a7b97389465a837c067f8d83cf21cc64)\nThe OpenSSF Package Analysis project identified 'dtxto1ols' @ 1.0.2 (npm) as malicious.\n\nIt is considered malicious because:\n\n- The package communicates with a domain associated with malicious activity.\n\n- The package executes one or more commands associated with malicious behavior.\n","modified":"2026-06-26T17:01:40.462665330Z","published":"2026-06-26T09:10:56Z","database_specific":{"malicious-packages-origins":[{"sha256":"b455011eb9c4e379922356173e11dec7a7b97389465a837c067f8d83cf21cc64","source":"ossf-package-analysis","versions":["1.0.2"],"modified_time":"2026-06-26T09:10:56Z","import_time":"2026-06-26T09:12:39.309678168Z"},{"sha256":"926fc822a2a507fafa6d2e1bb02a9b2bada7d89d3042bd3f0cac0ba2fd7c1991","source":"amazon-inspector","versions":["1.0.2"],"modified_time":"2026-06-26T15:52:35Z","id":"IN-MAL-2026-007636","import_time":"2026-06-26T16:45:36.33878762Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/dtxto1ols/v/1.0.2"}],"affected":[{"package":{"name":"dtxto1ols","ecosystem":"npm","purl":"pkg:npm/dtxto1ols"},"versions":["1.0.2"],"database_specific":{"cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/dtxto1ols/MAL-2026-6513.json","indicators":{"package_integrity":[{"filename":"dtxto1ols-1.0.2.tgz","hashes":{"sha1":"b287ea83fd0cf48454dfa5ca243002bdcf0224c9","sha512_sri":"sha512-3hqVbr00j5MJqD+vjakf1Et7RXecTeZkWII806Ppdi/fujLCH2S8c8meDUDCMYhzjY9tq6Y+P7XSuyj/+vh7Wg=="}}],"evidence_files":[{"tlsh":"f411ba1892248db310c85e30a86a1a2369216d5b0d043c0837c7c2ac4fdea6b90ff26c","sha256":"a9039fea84f3c02ece5c0b24176405185bce1b6baa12ad4c3d824fabd1f40e39","path":"package.json"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"},{"name":"OpenSSF: Package Analysis","contact":["https://github.com/ossf/package-analysis","https://openssf.slack.com/channels/package_analysis"],"type":"FINDER"}]}