MAL-2026-4264

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/dds-js-idl/MAL-2026-4264.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-4264
Published
2026-05-23T02:15:22Z
Modified
2026-05-26T06:02:27.357700328Z
Summary
Malicious code in dds-js-idl (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (c864bc6e21a3795faba4de876942dfffa4baed76c926d96d52c83c32d1f49f69)

On npm install, postinstall.js runs whoami via execSync and collects os.hostname(), os.platform(), cwd, and CI/GitHub env vars, then exfiltrates them over HTTPS GET to lg5ys3jebfzwk366pilidbmah1nsbszh.oastify.com/nasa/dds-js-canary/ and additionally performs a DNS lookup of ${whoami}.lg5ys3jebfzwk366pilidbmah1nsbszh.oastify.com as a DNS-channel fallback that defeats egress HTTPS filtering. The package self-describes as a Security research canary — NASA VDP, but it fires on every install without consent and leaks installer identity and repository/CI context to a third-party Interactsh (oastify.com) collector controlled by the canary operator. Regardless of stated research intent, the structural behavior is install-time host fingerprinting and out-of-band exfiltration.

Source: ossf-package-analysis (282ab4387de68701d586cdeb6635a576abea042584decbb31640112e9292e83a)

The OpenSSF Package Analysis project identified 'dds-js-idl' @ 1.0.0 (npm) as malicious.

It is considered malicious because:

  • The package executes one or more commands associated with malicious behavior.
Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "1.0.0"
            ],
            "sha256": "282ab4387de68701d586cdeb6635a576abea042584decbb31640112e9292e83a",
            "import_time": "2026-05-23T08:18:25.916919803Z",
            "modified_time": "2026-05-23T02:20:25Z",
            "source": "ossf-package-analysis"
        },
        {
            "versions": [
                "1.0.1"
            ],
            "id": "IN-MAL-2026-004286",
            "modified_time": "2026-05-23T04:09:23Z",
            "import_time": "2026-05-26T05:52:18.375533917Z",
            "sha256": "4b8ad096ffbd5b819ff05fa2e7240e8b64ab4f0c66bbcd5b3067e062d6bbbf29",
            "source": "amazon-inspector"
        },
        {
            "sha256": "9762fd0560dfcdafa569313e27731335cf7544e6101c559dc6a41fda68b94ad8",
            "id": "IN-MAL-2026-004285",
            "import_time": "2026-05-26T05:52:18.276432293Z",
            "modified_time": "2026-05-23T04:09:22Z",
            "versions": [
                "1.0.1"
            ],
            "source": "amazon-inspector"
        },
        {
            "sha256": "c864bc6e21a3795faba4de876942dfffa4baed76c926d96d52c83c32d1f49f69",
            "id": "IN-MAL-2026-004280",
            "import_time": "2026-05-26T05:52:17.652803731Z",
            "modified_time": "2026-05-23T02:15:22Z",
            "versions": [
                "1.0.0"
            ],
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / dds-js-idl

Package

Affected ranges

Affected versions

1.*
1.0.0
1.0.1

Database specific

indicators
{
    "evidence_files": [
        {
            "sha256": "3e6901d5a6d2ec5d28ce106522d900514ac4e9d83bdcb44ea75ab486dcda95d1",
            "tlsh": "4a0120f023f0e6f058e20dc0e6159c177167e0103345b9e07dac82a96f89a7444b1cec",
            "path": "postinstall.js"
        }
    ],
    "package_integrity": [
        {
            "filename": "dds-js-idl-1.0.1.tgz",
            "hashes": {
                "sha512_sri": "sha512-9Lou+pJx3eC/eEcvHviHWZ7JmeYm6hlnyg13Ujx8/4wxvKDUuUN8yApwUaHjknW4zoa72ECNHA8n68Ll+1cuAA==",
                "sha1": "2f6297431614f9af265ce9d3b1f096331a0d47d0"
            }
        }
    ],
    "domains": [
        "scan.lg5ys3jebfzwk366pilidbmah1nsbszh.oastify.com",
        "lg5ys3jebfzwk366pilidbmah1nsbszh.oastify.com"
    ]
}
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/dds-js-idl/MAL-2026-4264.json"