MAL-2026-6513

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/dtxto1ols/MAL-2026-6513.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6513

Published

2026-06-26T09:10:56Z

Modified

2026-06-26T17:01:40.462665330Z

Summary

Malicious code in dtxto1ols (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (926fc822a2a507fafa6d2e1bb02a9b2bada7d89d3042bd3f0cac0ba2fd7c1991)

package.json declares a postinstall script that runs automatically on npm install. The script performs filesystem reconnaissance (find / -type f scanning for database client binaries such as mysql and mongo, writing results to /data/dbclientscheck.txt) and then POSTs the collected file contents over plaintext HTTP to a Burp Collaborator subdomain at 3dhd6wwmusbh04m22igmzvb4hvnmblza.oastify.com. The destination is an out-of-band attacker-controlled collaborator host with no relationship to the package's advertised string-utility purpose. The package name dtxto1ols also exhibits a digit-1 for letter-l substitution typical of typosquatting, which corroborates malicious intent.

Source: ossf-package-analysis (b455011eb9c4e379922356173e11dec7a7b97389465a837c067f8d83cf21cc64)

The OpenSSF Package Analysis project identified 'dtxto1ols' @ 1.0.2 (npm) as malicious.

It is considered malicious because:

The package communicates with a domain associated with malicious activity.
The package executes one or more commands associated with malicious behavior.

Database specific

{
    "malicious-packages-origins": [
        {
            "versions": [
                "1.0.2"
            ],
            "modified_time": "2026-06-26T09:10:56Z",
            "sha256": "b455011eb9c4e379922356173e11dec7a7b97389465a837c067f8d83cf21cc64",
            "source": "ossf-package-analysis",
            "import_time": "2026-06-26T09:12:39.309678168Z"
        },
        {
            "versions": [
                "1.0.2"
            ],
            "modified_time": "2026-06-26T15:52:35Z",
            "sha256": "926fc822a2a507fafa6d2e1bb02a9b2bada7d89d3042bd3f0cac0ba2fd7c1991",
            "id": "IN-MAL-2026-007636",
            "source": "amazon-inspector",
            "import_time": "2026-06-26T16:45:36.33878762Z"
        }
    ]
}

References

https://www.npmjs.com/package/dtxto1ols/v/1.0.2

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com
- OpenSSF: Package Analysis - FINDER
- - https://github.com/ossf/package-analysis
  - https://openssf.slack.com/channels/package_analysis

Affected packages

npm / dtxto1ols

Package

Name: dtxto1ols; View open source insights on deps.dev
Purl: pkg:npm/dtxto1ols

Affected ranges

Affected versions

1.*

1.0.2

Database specific

cwes

[
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    }
]

indicators

{
    "package_integrity": [
        {
            "filename": "dtxto1ols-1.0.2.tgz",
            "hashes": {
                "sha512_sri": "sha512-3hqVbr00j5MJqD+vjakf1Et7RXecTeZkWII806Ppdi/fujLCH2S8c8meDUDCMYhzjY9tq6Y+P7XSuyj/+vh7Wg==",
                "sha1": "b287ea83fd0cf48454dfa5ca243002bdcf0224c9"
            }
        }
    ],
    "evidence_files": [
        {
            "path": "package.json",
            "tlsh": "f411ba1892248db310c85e30a86a1a2369216d5b0d043c0837c7c2ac4fdea6b90ff26c",
            "sha256": "a9039fea84f3c02ece5c0b24176405185bce1b6baa12ad4c3d824fabd1f40e39"
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/dtxto1ols/MAL-2026-6513.json"