VYPR

npm · Malicious package advisory

Malware

dtxtools

MAL-2026-6514

Malicious code in dtxtools (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (de085e4b6d38025a5a0b959b19b1022deaa7525b427e66679b58b6892328297a)
package.json declares a postinstall lifecycle script that auto-executes on `npm install`. The hook performs a recursive filesystem search for database client binaries (mysql, mongo, mongosh, psql, redis-cli, sqlite3, elasticsearch), writes results to /data/db_clients_check.txt, and POSTs the collected output via plain-HTTP curl to `http://3dhd6wwmusbh04m22igmzvb4hvnmblza.oastify.com`, a Burp Collaborator (OAST) subdomain used as an out-of-band attacker channel. The package advertises itself as a string-utility library (index.js header references `easy-string-kit`) and ships benign-looking helper code as a cover; the install-time reconnaissance and exfiltration are unrelated to that advertised purpose. Author, repository, bugs, and homepage fields in package.json are empty, consistent with a disposable decoy publish.

## Source: ossf-package-analysis (60aeb1c9d89211c999d326073fbc8be5324a4f09df832abf9e1aea01b6caef0d)
The OpenSSF Package Analysis project identified 'dtxtools' @ 1.0.0 (npm) as malicious.

It is considered malicious because:

- The package communicates with a domain associated with malicious activity.

- The package executes one or more commands associated with malicious behavior.

Compromised versions (2)

  • 1.0.0
  • 1.0.1

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.