npm · Malicious package advisory
Malwaredttfdsdee
MAL-2026-6498
Malicious code in dttfdsdee (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (ae565bed85ec0db27f1ff658c7e9491591ce40edc56f423cd8b1122bc209c69c) package.json declares a postinstall script that runs automatically on npm install. The script walks the entire filesystem with find to locate database client binaries (mysql, mongo, mongosh, psql, redis-cli, sqlite3, elasticsearch), writes the results to /data/db_clients_check.txt, and then uses curl -X POST to send local file contents to an out-of-band callback at http://3dhd6wwmusbh04m22igmzvb4hvnmblza.oastify.com (oastify.com is the Burp Collaborator OOB interaction domain). The package presents itself as a generic string-utility helper with benign filler in index.js, but the advertised purpose is wholly inconsistent with the install-time behavior; metadata is hollow (empty author, empty repository, empty homepage) and the name is a random string — consistent with disposable reconnaissance bait. Installing the package on a developer or CI machine causes immediate filesystem reconnaissance and exfiltration to attacker-controlled infrastructure. ## Source: ossf-package-analysis (bb785783c80ff1b3c13e9d6dc3b3c583d2eeb58f9f7f102d219a7448a71560b5) The OpenSSF Package Analysis project identified 'dttfdsdee' @ 1.0.1 (npm) as malicious. It is considered malicious because: - The package communicates with a domain associated with malicious activity. - The package executes one or more commands associated with malicious behavior.
Compromised versions (7)
- 1.0.1
- 1.0.3
- 1.0.4
- 1.0.0
- 1.0.2
- 1.0.5
- 1.0.6
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.