npm · Malicious package advisory
Malwaredtxtools
MAL-2026-6514
Malicious code in dtxtools (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (de085e4b6d38025a5a0b959b19b1022deaa7525b427e66679b58b6892328297a) package.json declares a postinstall lifecycle script that auto-executes on `npm install`. The hook performs a recursive filesystem search for database client binaries (mysql, mongo, mongosh, psql, redis-cli, sqlite3, elasticsearch), writes results to /data/db_clients_check.txt, and POSTs the collected output via plain-HTTP curl to `http://3dhd6wwmusbh04m22igmzvb4hvnmblza.oastify.com`, a Burp Collaborator (OAST) subdomain used as an out-of-band attacker channel. The package advertises itself as a string-utility library (index.js header references `easy-string-kit`) and ships benign-looking helper code as a cover; the install-time reconnaissance and exfiltration are unrelated to that advertised purpose. Author, repository, bugs, and homepage fields in package.json are empty, consistent with a disposable decoy publish. ## Source: ossf-package-analysis (60aeb1c9d89211c999d326073fbc8be5324a4f09df832abf9e1aea01b6caef0d) The OpenSSF Package Analysis project identified 'dtxtools' @ 1.0.0 (npm) as malicious. It is considered malicious because: - The package communicates with a domain associated with malicious activity. - The package executes one or more commands associated with malicious behavior.
Compromised versions (2)
- 1.0.0
- 1.0.1
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.