VYPR

npm · Malicious package advisory

Malware

testing-d3do

MAL-2026-10006

Malicious code in testing-d3do (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (6c008bcf9a72a02f11c556396a39d6de999bfad0cfa389ddac01929d19bb34d8)
On npm install, this package's postinstall script collects host identifiers (os.hostname(), os.userInfo(), current working directory, and external IPv4 address) and POSTs them to a hardcoded subdomain under oast.fun (lpzlajzjfkpfeefuzxbv6n5nob7bpuh6e.oast.fun, path /receive-data). oast.fun is an Interactsh out-of-band collector commonly used for dependency-confusion reconnaissance. The package metadata is consistent with a dependency-confusion squat: name prefixed with 'testing-', version 99.9.9 (unrealistically high to win registry resolution against an internal package of the same short name), empty author/description/keywords. Installing this package causes the installer's machine identifiers and network address to be sent to a third-party collector controlled by whoever registered the OAST subdomain.

## Source: ossf-package-analysis (cbb133c89692a67e9aff0a4777c486d480852fb223a5ac9b7c983ae94cdceef6)
The OpenSSF Package Analysis project identified 'testing-d3do' @ 99.9.9 (npm) as malicious.

It is considered malicious because:

- The package communicates with a domain associated with malicious activity.

Compromised versions (1)

  • 99.9.9

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.