VYPR

npm · Malicious package advisory

Malware

dbt-language-server

MAL-2026-6367

Malicious code in dbt-language-server (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (b15387169de77b4c18baf8c3f4d27156085bd06d96d0a27879545c3f0358dba8)
package.json declares a preinstall hook (`node index.js`) that runs automatically on `npm install`. index.js collects installer-side reconnaissance data — hostname, username, home directory, DNS servers, package metadata — and reads the contents of /etc/passwd and /etc/hosts from the installer machine, then POSTs the bundle over HTTPS to `p9z268f2xv8co3wtlpujplris9y2msah.oastify.com`, a Burp Collaborator subdomain used for out-of-band exfiltration. The package has empty author/description/license fields and ships no functionality beyond this payload. The name `dbt-language-server` shadows a plausible internal/private package, consistent with a dependency-confusion attack targeting organizations that use a dbt-related internal tool.

Compromised versions (1)

  • 1.0.1

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.