MAL-2026-6514
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/dtxtools/MAL-2026-6514.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-6514
- Published
- 2026-06-26T09:06:00Z
- Modified
- 2026-06-26T17:01:40.574907815Z
- Summary
- Malicious code in dtxtools (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (de085e4b6d38025a5a0b959b19b1022deaa7525b427e66679b58b6892328297a)
package.json declares a postinstall lifecycle script that auto-executes on
npm install. The hook performs a recursive filesystem search for database client binaries (mysql, mongo, mongosh, psql, redis-cli, sqlite3, elasticsearch), writes results to /data/dbclientscheck.txt, and POSTs the collected output via plain-HTTP curl tohttp://3dhd6wwmusbh04m22igmzvb4hvnmblza.oastify.com, a Burp Collaborator (OAST) subdomain used as an out-of-band attacker channel. The package advertises itself as a string-utility library (index.js header referenceseasy-string-kit) and ships benign-looking helper code as a cover; the install-time reconnaissance and exfiltration are unrelated to that advertised purpose. Author, repository, bugs, and homepage fields in package.json are empty, consistent with a disposable decoy publish.Source: ossf-package-analysis (60aeb1c9d89211c999d326073fbc8be5324a4f09df832abf9e1aea01b6caef0d)
The OpenSSF Package Analysis project identified 'dtxtools' @ 1.0.0 (npm) as malicious.
It is considered malicious because:
The package communicates with a domain associated with malicious activity.
The package executes one or more commands associated with malicious behavior.
- Database specific
{ "malicious-packages-origins": [ { "versions": [ "1.0.0" ], "modified_time": "2026-06-26T09:06:00Z", "sha256": "60aeb1c9d89211c999d326073fbc8be5324a4f09df832abf9e1aea01b6caef0d", "source": "ossf-package-analysis", "import_time": "2026-06-26T09:12:39.228073806Z" }, { "versions": [ "1.0.1" ], "modified_time": "2026-06-26T09:25:43Z", "sha256": "e2aa9c068631fd05168e486b69c2a883339b8c50c4752446567a7ab18824e9d4", "source": "ossf-package-analysis", "import_time": "2026-06-26T10:34:45.411422567Z" }, { "versions": [ "1.0.0" ], "modified_time": "2026-06-26T15:52:36Z", "sha256": "8fdf4631d010f7e464f6513c728593eace221106d11e865442e3e0800c4294f4", "id": "IN-MAL-2026-007637", "source": "amazon-inspector", "import_time": "2026-06-26T16:45:36.575082387Z" }, { "versions": [ "1.0.1" ], "modified_time": "2026-06-26T15:52:39Z", "sha256": "de085e4b6d38025a5a0b959b19b1022deaa7525b427e66679b58b6892328297a", "id": "IN-MAL-2026-007638", "source": "amazon-inspector", "import_time": "2026-06-26T16:45:36.704414223Z" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
- OpenSSF: Package Analysis - FINDER
-
Affected packages
npm / dtxtools
Package
- Name
- dtxtools
- View open source insights on deps.dev
- Purl
- pkg:npm/dtxtools
Database specific
cwes
[
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
}
]
indicators
{
"package_integrity": [
{
"hashes": {
"sha512_sri": "sha512-Y5D3n/ru5m3ShCNbZ97Sndw+/rZG4MrO/aNtR6btU2H4K7nf5nM95LwHO87enubgLRV5lkTZduNaaa+SM+QuzA==",
"sha1": "b1f864586931b0957fb7eac1fa8ab59de68f3442"
},
"filename": "dtxtools-1.0.0.tgz"
}
],
"evidence_files": [
{
"path": "package.json",
"tlsh": "be11dc18d2248db310c85e30e86b0a23b9616d5b0d043c0837c7c2ac4fdea6b91ff26c",
"sha256": "0c274b4c74e581493da48efa0e1dd130790ad864034991a51707c3ad0d3d438b"
}
]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/dtxtools/MAL-2026-6514.json"