MAL-2026-6498

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/dttfdsdee/MAL-2026-6498.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6498

Published

2026-06-26T02:55:50Z

Modified

2026-06-26T15:16:36.354757956Z

Summary

Malicious code in dttfdsdee (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (ae565bed85ec0db27f1ff658c7e9491591ce40edc56f423cd8b1122bc209c69c)

package.json declares a postinstall script that runs automatically on npm install. The script walks the entire filesystem with find to locate database client binaries (mysql, mongo, mongosh, psql, redis-cli, sqlite3, elasticsearch), writes the results to /data/dbclientscheck.txt, and then uses curl -X POST to send local file contents to an out-of-band callback at http://3dhd6wwmusbh04m22igmzvb4hvnmblza.oastify.com (oastify.com is the Burp Collaborator OOB interaction domain). The package presents itself as a generic string-utility helper with benign filler in index.js, but the advertised purpose is wholly inconsistent with the install-time behavior; metadata is hollow (empty author, empty repository, empty homepage) and the name is a random string — consistent with disposable reconnaissance bait. Installing the package on a developer or CI machine causes immediate filesystem reconnaissance and exfiltration to attacker-controlled infrastructure.

Source: ossf-package-analysis (bb785783c80ff1b3c13e9d6dc3b3c583d2eeb58f9f7f102d219a7448a71560b5)

The OpenSSF Package Analysis project identified 'dttfdsdee' @ 1.0.1 (npm) as malicious.

It is considered malicious because:

The package communicates with a domain associated with malicious activity.
The package executes one or more commands associated with malicious behavior.

Database specific

{
    "malicious-packages-origins": [
        {
            "versions": [
                "1.0.1"
            ],
            "modified_time": "2026-06-26T02:55:50Z",
            "sha256": "bb785783c80ff1b3c13e9d6dc3b3c583d2eeb58f9f7f102d219a7448a71560b5",
            "source": "ossf-package-analysis",
            "import_time": "2026-06-26T03:14:41.558129129Z"
        },
        {
            "versions": [
                "1.0.3"
            ],
            "modified_time": "2026-06-26T04:04:16Z",
            "sha256": "0d1f8ed5cffb20d316fd511cb9861c8e853b4060e35c7eea1f56128e37cb2da8",
            "id": "IN-MAL-2026-007583",
            "source": "amazon-inspector",
            "import_time": "2026-06-26T04:57:28.632993758Z"
        },
        {
            "versions": [
                "1.0.4"
            ],
            "modified_time": "2026-06-26T04:04:19Z",
            "sha256": "132e1119aa728006bf15cac94c7510d24a24a555aaca509a41b124af5a753415",
            "id": "IN-MAL-2026-007584",
            "source": "amazon-inspector",
            "import_time": "2026-06-26T04:57:28.677581207Z"
        },
        {
            "versions": [
                "1.0.1"
            ],
            "modified_time": "2026-06-26T04:04:36Z",
            "sha256": "18af68b366fd8bf07ba75a7040d05c62bb9559c7fbefc36c9684861ffa3126e6",
            "id": "IN-MAL-2026-007587",
            "source": "amazon-inspector",
            "import_time": "2026-06-26T04:57:28.872565339Z"
        },
        {
            "versions": [
                "1.0.0"
            ],
            "modified_time": "2026-06-26T04:04:33Z",
            "sha256": "48b521e920d2c47f499f0ae3b9f096d2ec13047ced6262cb61c9dd89e1542f71",
            "id": "IN-MAL-2026-007586",
            "source": "amazon-inspector",
            "import_time": "2026-06-26T04:57:28.821021271Z"
        },
        {
            "versions": [
                "1.0.2"
            ],
            "modified_time": "2026-06-26T04:04:32Z",
            "sha256": "7f61e9b10455dc3781fcee5dfb2654ff824c2ac2e51dfaf7ebfba342f570f66c",
            "id": "IN-MAL-2026-007585",
            "source": "amazon-inspector",
            "import_time": "2026-06-26T04:57:28.772659572Z"
        },
        {
            "versions": [
                "1.0.5"
            ],
            "modified_time": "2026-06-26T08:35:57Z",
            "sha256": "95062ddd9ab0c40dca1c09ae94fedc69c955f25dcbd1287013863bb037675a5b",
            "source": "ossf-package-analysis",
            "import_time": "2026-06-26T09:12:39.149055565Z"
        },
        {
            "versions": [
                "1.0.6"
            ],
            "modified_time": "2026-06-26T14:15:01Z",
            "sha256": "ae565bed85ec0db27f1ff658c7e9491591ce40edc56f423cd8b1122bc209c69c",
            "id": "IN-MAL-2026-007603",
            "source": "amazon-inspector",
            "import_time": "2026-06-26T14:59:21.140818054Z"
        },
        {
            "versions": [
                "1.0.5"
            ],
            "modified_time": "2026-06-26T14:15:02Z",
            "sha256": "b02aede5fb6dcbb786253c59de49b32bba5b700faefbdc2835b170440d846b09",
            "id": "IN-MAL-2026-007604",
            "source": "amazon-inspector",
            "import_time": "2026-06-26T14:59:21.257815566Z"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com
- OpenSSF: Package Analysis - FINDER
- - https://github.com/ossf/package-analysis
  - https://openssf.slack.com/channels/package_analysis

Affected packages

npm / dttfdsdee

Package

Name: dttfdsdee; View open source insights on deps.dev
Purl: pkg:npm/dttfdsdee

Affected ranges

Affected versions

1.*

1.0.0

1.0.1

1.0.2

1.0.3

1.0.4

1.0.5

1.0.6

Database specific

cwes

[
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    },
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    },
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    },
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    },
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    },
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    },
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    }
]

indicators

{
    "package_integrity": [
        {
            "filename": "dttfdsdee-1.0.3.tgz",
            "hashes": {
                "sha512_sri": "sha512-2T5nxtWAmhNSlYES1O7yml2xcRzwrR2Uu/3iXF8n5jdkf+n6cvJUGLUM2ormrI71Nt4G3dYl0KHtm3JjCQZvqQ==",
                "sha1": "87b5158fbbdb9da296ec758fc812fcb8c680abcc"
            }
        }
    ],
    "evidence_files": [
        {
            "path": "package.json",
            "tlsh": "0f019718c2205c2315d81b20a89a1a42b1129e9709143c0977d3802c0fae6ab50fe62e",
            "sha256": "9337982c9d32059bcc027658040a9405f542534d4026924bf6a54b398a8781a2"
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/dttfdsdee/MAL-2026-6498.json"