npm · Malicious package advisory
Malwaredtxto1ols
MAL-2026-6513
Malicious code in dtxto1ols (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (926fc822a2a507fafa6d2e1bb02a9b2bada7d89d3042bd3f0cac0ba2fd7c1991) package.json declares a postinstall script that runs automatically on `npm install`. The script performs filesystem reconnaissance (find / -type f scanning for database client binaries such as mysql and mongo, writing results to /data/db_clients_check.txt) and then POSTs the collected file contents over plaintext HTTP to a Burp Collaborator subdomain at 3dhd6wwmusbh04m22igmzvb4hvnmblza.oastify.com. The destination is an out-of-band attacker-controlled collaborator host with no relationship to the package's advertised string-utility purpose. The package name `dtxto1ols` also exhibits a digit-`1` for letter-`l` substitution typical of typosquatting, which corroborates malicious intent. ## Source: ossf-package-analysis (b455011eb9c4e379922356173e11dec7a7b97389465a837c067f8d83cf21cc64) The OpenSSF Package Analysis project identified 'dtxto1ols' @ 1.0.2 (npm) as malicious. It is considered malicious because: - The package communicates with a domain associated with malicious activity. - The package executes one or more commands associated with malicious behavior.
Compromised versions (1)
- 1.0.2
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.