MAL-2026-6498: Malicious code in dttfdsdee (npm)
The npm package 'dttfdsdee' versions 1.0.0 through 1.0.6 contains malicious code that executes automatically upon installation. It performs filesystem reconnaissance to locate database client binaries and exfiltrates the collected data to an attacker-controlled external server. The package masquerades as a benign utility but exhibits behavior inconsistent with its advertised purpose, indicating it is designed as disposable reconnaissance bait.
AI Analysis
Technical Summary
The 'dttfdsdee' npm package declares a postinstall script that runs automatically during npm install. This script searches the entire filesystem for database client binaries such as mysql, mongo, mongosh, psql, redis-cli, sqlite3, and elasticsearch, writing the findings to a local file. It then sends the contents of this file via an HTTP POST request to a remote domain associated with malicious activity. The package's metadata is minimal and misleading, with an empty author field and no repository or homepage information, consistent with malicious intent. This behavior was identified by the OpenSSF Package Analysis project and Amazon Inspector, confirming the package as malicious.
Potential Impact
Installing any affected version of the 'dttfdsdee' package results in immediate reconnaissance of the local filesystem to identify database clients, followed by exfiltration of this information to an attacker-controlled server. This compromises confidentiality by leaking potentially sensitive environment details to unauthorized parties. There is no indication of further exploitation beyond data exfiltration in the provided data.
Mitigation Recommendations
No official patch or remediation is currently documented for this package. Users should avoid installing any versions of 'dttfdsdee' listed as affected. Remove the package from any environments where it has been installed. Since this is a malicious package, the best mitigation is to block its use and remove it from dependency trees. Monitor for any unexpected network connections to suspicious domains and audit systems for signs of compromise related to this package.
MAL-2026-6498: Malicious code in dttfdsdee (npm)
Description
The npm package 'dttfdsdee' versions 1.0.0 through 1.0.6 contains malicious code that executes automatically upon installation. It performs filesystem reconnaissance to locate database client binaries and exfiltrates the collected data to an attacker-controlled external server. The package masquerades as a benign utility but exhibits behavior inconsistent with its advertised purpose, indicating it is designed as disposable reconnaissance bait.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The 'dttfdsdee' npm package declares a postinstall script that runs automatically during npm install. This script searches the entire filesystem for database client binaries such as mysql, mongo, mongosh, psql, redis-cli, sqlite3, and elasticsearch, writing the findings to a local file. It then sends the contents of this file via an HTTP POST request to a remote domain associated with malicious activity. The package's metadata is minimal and misleading, with an empty author field and no repository or homepage information, consistent with malicious intent. This behavior was identified by the OpenSSF Package Analysis project and Amazon Inspector, confirming the package as malicious.
Potential Impact
Installing any affected version of the 'dttfdsdee' package results in immediate reconnaissance of the local filesystem to identify database clients, followed by exfiltration of this information to an attacker-controlled server. This compromises confidentiality by leaking potentially sensitive environment details to unauthorized parties. There is no indication of further exploitation beyond data exfiltration in the provided data.
Mitigation Recommendations
No official patch or remediation is currently documented for this package. Users should avoid installing any versions of 'dttfdsdee' listed as affected. Remove the package from any environments where it has been installed. Since this is a malicious package, the best mitigation is to block its use and remove it from dependency trees. Monitor for any unexpected network connections to suspicious domains and audit systems for signs of compromise related to this package.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- MAL-2026-6498
- Osv Schema Version
- 1.7.4
- Aliases
- []
- Ecosystems
- ["npm"]
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a3ef7a927e9c79719ffb5ff
Added to database: 06/26/2026, 22:05:29 UTC
Last enriched: 06/26/2026, 22:24:57 UTC
Last updated: 06/26/2026, 22:24:57 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.