VYPR

npm · Malicious package advisory

Malware

dtxto1ols

MAL-2026-6513

Malicious code in dtxto1ols (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (926fc822a2a507fafa6d2e1bb02a9b2bada7d89d3042bd3f0cac0ba2fd7c1991)
package.json declares a postinstall script that runs automatically on `npm install`. The script performs filesystem reconnaissance (find / -type f scanning for database client binaries such as mysql and mongo, writing results to /data/db_clients_check.txt) and then POSTs the collected file contents over plaintext HTTP to a Burp Collaborator subdomain at 3dhd6wwmusbh04m22igmzvb4hvnmblza.oastify.com. The destination is an out-of-band attacker-controlled collaborator host with no relationship to the package's advertised string-utility purpose. The package name `dtxto1ols` also exhibits a digit-`1` for letter-`l` substitution typical of typosquatting, which corroborates malicious intent.

## Source: ossf-package-analysis (b455011eb9c4e379922356173e11dec7a7b97389465a837c067f8d83cf21cc64)
The OpenSSF Package Analysis project identified 'dtxto1ols' @ 1.0.2 (npm) as malicious.

It is considered malicious because:

- The package communicates with a domain associated with malicious activity.

- The package executes one or more commands associated with malicious behavior.

Compromised versions (1)

  • 1.0.2

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.