MAL-2026-10006

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/testing-d3do/MAL-2026-10006.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10006
Published
2026-07-09T11:20:48Z
Modified
2026-07-09T16:32:02.440996716Z
Summary
Malicious code in testing-d3do (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (6c008bcf9a72a02f11c556396a39d6de999bfad0cfa389ddac01929d19bb34d8)

On npm install, this package's postinstall script collects host identifiers (os.hostname(), os.userInfo(), current working directory, and external IPv4 address) and POSTs them to a hardcoded subdomain under oast.fun (lpzlajzjfkpfeefuzxbv6n5nob7bpuh6e.oast.fun, path /receive-data). oast.fun is an Interactsh out-of-band collector commonly used for dependency-confusion reconnaissance. The package metadata is consistent with a dependency-confusion squat: name prefixed with 'testing-', version 99.9.9 (unrealistically high to win registry resolution against an internal package of the same short name), empty author/description/keywords. Installing this package causes the installer's machine identifiers and network address to be sent to a third-party collector controlled by whoever registered the OAST subdomain.

Source: ossf-package-analysis (cbb133c89692a67e9aff0a4777c486d480852fb223a5ac9b7c983ae94cdceef6)

The OpenSSF Package Analysis project identified 'testing-d3do' @ 99.9.9 (npm) as malicious.

It is considered malicious because:

  • The package communicates with a domain associated with malicious activity.
Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "99.9.9"
            ],
            "sha256": "cbb133c89692a67e9aff0a4777c486d480852fb223a5ac9b7c983ae94cdceef6",
            "modified_time": "2026-07-09T11:20:48Z",
            "import_time": "2026-07-09T12:03:06.798463805Z",
            "source": "ossf-package-analysis"
        },
        {
            "versions": [
                "99.9.9"
            ],
            "id": "IN-MAL-2026-009109",
            "modified_time": "2026-07-09T15:29:34Z",
            "sha256": "6c008bcf9a72a02f11c556396a39d6de999bfad0cfa389ddac01929d19bb34d8",
            "import_time": "2026-07-09T16:20:41.509942201Z",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / testing-d3do

Package

Affected ranges

Affected versions

99.*
99.9.9

Database specific

indicators
{
    "evidence_files": [
        {
            "sha256": "108ace563bb47f186a4326ee566478e9a521891ef5ba26d575262c3e9c05fcd0",
            "tlsh": "203153e5eaf6632106f604c570881413352ff210728adac0bafe43c47bc16f0ad32ae6",
            "path": "index.js"
        },
        {
            "sha256": "7182bc48dc98896bc6edb61adc5964e1f31c752b9257324e28cc4218080ac7ec",
            "tlsh": "35d0a7345c21963328d85699096b650ab5a1cd1b0008784d27a3141892de93344fd30d",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "filename": "testing-d3do-99.9.9.tgz",
            "hashes": {
                "sha512_sri": "sha512-xgoxzbTcTPpngzOXF4VK1bWy2Cc08B4S+SSJLSQ8OZXZLzEt/1sTOuXJP/33uku4RVAQVuGrwec4cDiQVWQx0g==",
                "sha1": "ec6a19d2d989bb4e0de043d21776f65bf77925c6"
            }
        }
    ]
}
cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/testing-d3do/MAL-2026-10006.json"