npm · Malicious package advisory
Malwaretesting-d3do
MAL-2026-10006
Malicious code in testing-d3do (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (6c008bcf9a72a02f11c556396a39d6de999bfad0cfa389ddac01929d19bb34d8) On npm install, this package's postinstall script collects host identifiers (os.hostname(), os.userInfo(), current working directory, and external IPv4 address) and POSTs them to a hardcoded subdomain under oast.fun (lpzlajzjfkpfeefuzxbv6n5nob7bpuh6e.oast.fun, path /receive-data). oast.fun is an Interactsh out-of-band collector commonly used for dependency-confusion reconnaissance. The package metadata is consistent with a dependency-confusion squat: name prefixed with 'testing-', version 99.9.9 (unrealistically high to win registry resolution against an internal package of the same short name), empty author/description/keywords. Installing this package causes the installer's machine identifiers and network address to be sent to a third-party collector controlled by whoever registered the OAST subdomain. ## Source: ossf-package-analysis (cbb133c89692a67e9aff0a4777c486d480852fb223a5ac9b7c983ae94cdceef6) The OpenSSF Package Analysis project identified 'testing-d3do' @ 99.9.9 (npm) as malicious. It is considered malicious because: - The package communicates with a domain associated with malicious activity.
Compromised versions (1)
- 99.9.9
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.