-= Per source details. Do not edit below this line.=-
On npm install, this package's postinstall script collects host identifiers (os.hostname(), os.userInfo(), current working directory, and external IPv4 address) and POSTs them to a hardcoded subdomain under oast.fun (lpzlajzjfkpfeefuzxbv6n5nob7bpuh6e.oast.fun, path /receive-data). oast.fun is an Interactsh out-of-band collector commonly used for dependency-confusion reconnaissance. The package metadata is consistent with a dependency-confusion squat: name prefixed with 'testing-', version 99.9.9 (unrealistically high to win registry resolution against an internal package of the same short name), empty author/description/keywords. Installing this package causes the installer's machine identifiers and network address to be sent to a third-party collector controlled by whoever registered the OAST subdomain.
The OpenSSF Package Analysis project identified 'testing-d3do' @ 99.9.9 (npm) as malicious.
It is considered malicious because:
{
"malicious-packages-origins": [
{
"versions": [
"99.9.9"
],
"sha256": "cbb133c89692a67e9aff0a4777c486d480852fb223a5ac9b7c983ae94cdceef6",
"modified_time": "2026-07-09T11:20:48Z",
"import_time": "2026-07-09T12:03:06.798463805Z",
"source": "ossf-package-analysis"
},
{
"versions": [
"99.9.9"
],
"id": "IN-MAL-2026-009109",
"modified_time": "2026-07-09T15:29:34Z",
"sha256": "6c008bcf9a72a02f11c556396a39d6de999bfad0cfa389ddac01929d19bb34d8",
"import_time": "2026-07-09T16:20:41.509942201Z",
"source": "amazon-inspector"
}
]
}{
"evidence_files": [
{
"sha256": "108ace563bb47f186a4326ee566478e9a521891ef5ba26d575262c3e9c05fcd0",
"tlsh": "203153e5eaf6632106f604c570881413352ff210728adac0bafe43c47bc16f0ad32ae6",
"path": "index.js"
},
{
"sha256": "7182bc48dc98896bc6edb61adc5964e1f31c752b9257324e28cc4218080ac7ec",
"tlsh": "35d0a7345c21963328d85699096b650ab5a1cd1b0008784d27a3141892de93344fd30d",
"path": "package.json"
}
],
"package_integrity": [
{
"filename": "testing-d3do-99.9.9.tgz",
"hashes": {
"sha512_sri": "sha512-xgoxzbTcTPpngzOXF4VK1bWy2Cc08B4S+SSJLSQ8OZXZLzEt/1sTOuXJP/33uku4RVAQVuGrwec4cDiQVWQx0g==",
"sha1": "ec6a19d2d989bb4e0de043d21776f65bf77925c6"
}
}
]
}
[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/testing-d3do/MAL-2026-10006.json"