npm · Malicious package advisory
Malwaredds-js-idl
MAL-2026-4264
Malicious code in dds-js-idl (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (c864bc6e21a3795faba4de876942dfffa4baed76c926d96d52c83c32d1f49f69)
On `npm install`, postinstall.js runs `whoami` via execSync and collects os.hostname(), os.platform(), cwd, and CI/GitHub env vars, then exfiltrates them over HTTPS GET to `lg5ys3jebfzwk366pilidbmah1nsbszh.oastify.com/nasa/dds-js-canary/` and additionally performs a DNS lookup of `${whoami}.lg5ys3jebfzwk366pilidbmah1nsbszh.oastify.com` as a DNS-channel fallback that defeats egress HTTPS filtering. The package self-describes as a `Security research canary — NASA VDP`, but it fires on every install without consent and leaks installer identity and repository/CI context to a third-party Interactsh (oastify.com) collector controlled by the canary operator. Regardless of stated research intent, the structural behavior is install-time host fingerprinting and out-of-band exfiltration.
## Source: ossf-package-analysis (282ab4387de68701d586cdeb6635a576abea042584decbb31640112e9292e83a)
The OpenSSF Package Analysis project identified 'dds-js-idl' @ 1.0.0 (npm) as malicious.
It is considered malicious because:
- The package executes one or more commands associated with malicious behavior.
Compromised versions (2)
- 1.0.0
- 1.0.1
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.