npm · Malicious package advisory
Malwaredbt-language-server
MAL-2026-6367
Malicious code in dbt-language-server (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (b15387169de77b4c18baf8c3f4d27156085bd06d96d0a27879545c3f0358dba8) package.json declares a preinstall hook (`node index.js`) that runs automatically on `npm install`. index.js collects installer-side reconnaissance data — hostname, username, home directory, DNS servers, package metadata — and reads the contents of /etc/passwd and /etc/hosts from the installer machine, then POSTs the bundle over HTTPS to `p9z268f2xv8co3wtlpujplris9y2msah.oastify.com`, a Burp Collaborator subdomain used for out-of-band exfiltration. The package has empty author/description/license fields and ships no functionality beyond this payload. The name `dbt-language-server` shadows a plausible internal/private package, consistent with a dependency-confusion attack targeting organizations that use a dbt-related internal tool.
Compromised versions (1)
- 1.0.1
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.