{"id":"MAL-2026-6514","summary":"Malicious code in dtxtools (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (de085e4b6d38025a5a0b959b19b1022deaa7525b427e66679b58b6892328297a)\npackage.json declares a postinstall lifecycle script that auto-executes on `npm install`. The hook performs a recursive filesystem search for database client binaries (mysql, mongo, mongosh, psql, redis-cli, sqlite3, elasticsearch), writes results to /data/db_clients_check.txt, and POSTs the collected output via plain-HTTP curl to `http://3dhd6wwmusbh04m22igmzvb4hvnmblza.oastify.com`, a Burp Collaborator (OAST) subdomain used as an out-of-band attacker channel. The package advertises itself as a string-utility library (index.js header references `easy-string-kit`) and ships benign-looking helper code as a cover; the install-time reconnaissance and exfiltration are unrelated to that advertised purpose. Author, repository, bugs, and homepage fields in package.json are empty, consistent with a disposable decoy publish.\n\n## Source: ossf-package-analysis (60aeb1c9d89211c999d326073fbc8be5324a4f09df832abf9e1aea01b6caef0d)\nThe OpenSSF Package Analysis project identified 'dtxtools' @ 1.0.0 (npm) as malicious.\n\nIt is considered malicious because:\n\n- The package communicates with a domain associated with malicious activity.\n\n- The package executes one or more commands associated with malicious behavior.\n","modified":"2026-06-26T17:01:40.574907815Z","published":"2026-06-26T09:06:00Z","database_specific":{"malicious-packages-origins":[{"source":"ossf-package-analysis","versions":["1.0.0"],"modified_time":"2026-06-26T09:06:00Z","sha256":"60aeb1c9d89211c999d326073fbc8be5324a4f09df832abf9e1aea01b6caef0d","import_time":"2026-06-26T09:12:39.228073806Z"},{"versions":["1.0.1"],"source":"ossf-package-analysis","modified_time":"2026-06-26T09:25:43Z","sha256":"e2aa9c068631fd05168e486b69c2a883339b8c50c4752446567a7ab18824e9d4","import_time":"2026-06-26T10:34:45.411422567Z"},{"source":"amazon-inspector","versions":["1.0.0"],"modified_time":"2026-06-26T15:52:36Z","id":"IN-MAL-2026-007637","sha256":"8fdf4631d010f7e464f6513c728593eace221106d11e865442e3e0800c4294f4","import_time":"2026-06-26T16:45:36.575082387Z"},{"source":"amazon-inspector","versions":["1.0.1"],"import_time":"2026-06-26T16:45:36.704414223Z","id":"IN-MAL-2026-007638","sha256":"de085e4b6d38025a5a0b959b19b1022deaa7525b427e66679b58b6892328297a","modified_time":"2026-06-26T15:52:39Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/dtxtools/v/1.0.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/dtxtools/v/1.0.1"}],"affected":[{"package":{"name":"dtxtools","ecosystem":"npm","purl":"pkg:npm/dtxtools"},"versions":["1.0.0","1.0.1"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/dtxtools/MAL-2026-6514.json","cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."}],"indicators":{"package_integrity":[{"filename":"dtxtools-1.0.0.tgz","hashes":{"sha512_sri":"sha512-Y5D3n/ru5m3ShCNbZ97Sndw+/rZG4MrO/aNtR6btU2H4K7nf5nM95LwHO87enubgLRV5lkTZduNaaa+SM+QuzA==","sha1":"b1f864586931b0957fb7eac1fa8ab59de68f3442"}}],"evidence_files":[{"tlsh":"be11dc18d2248db310c85e30e86b0a23b9616d5b0d043c0837c7c2ac4fdea6b91ff26c","sha256":"0c274b4c74e581493da48efa0e1dd130790ad864034991a51707c3ad0d3d438b","path":"package.json"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"},{"name":"OpenSSF: Package Analysis","contact":["https://github.com/ossf/package-analysis","https://openssf.slack.com/channels/package_analysis"],"type":"FINDER"}]}