MAL-2026-6514: Malicious code in dtxtools (npm)
The dtxtools npm package versions 1.0.0 and 1.0.1 contain malicious code that executes during installation. Specifically, a postinstall script performs a recursive search for database client binaries on the filesystem and exfiltrates the findings via an unencrypted HTTP request to an attacker-controlled domain. The package disguises itself as a benign string utility library but conducts unauthorized reconnaissance and data exfiltration unrelated to its advertised functionality. The author and repository metadata are empty, indicating a disposable or decoy package. No official patch or remediation is currently documented.
AI Analysis
Technical Summary
The dtxtools package versions 1.0.0 and 1.0.1 on npm include a postinstall lifecycle script that automatically runs upon installation. This script searches recursively for database client binaries such as mysql, mongo, mongosh, psql, redis-cli, sqlite3, and elasticsearch on the victim's filesystem. It writes the results to a local file and then sends this information via plain HTTP POST to a Burp Collaborator (OAST) domain controlled by an attacker. The package's metadata fields like author, repository, bugs, and homepage are empty, consistent with a disposable or malicious decoy package. The package advertises itself as a string utility library but performs unauthorized reconnaissance and data exfiltration during installation. This behavior was identified by Amazon Inspector and the OpenSSF Package Analysis project, which flagged the package as malicious.
Potential Impact
The malicious postinstall script can lead to unauthorized reconnaissance of the victim's environment by identifying installed database clients. The exfiltration of this information to an attacker-controlled domain can facilitate further targeted attacks or data breaches. Since the data is sent over unencrypted HTTP, it also exposes the victim to potential interception. The presence of such a package in a software supply chain can compromise system confidentiality and integrity. There is no indication of remote code execution beyond the postinstall script or persistence mechanisms, but the reconnaissance and data leakage alone represent a significant security risk.
Mitigation Recommendations
No official patch or remediation is currently documented for dtxtools versions 1.0.0 and 1.0.1. Users and organizations should avoid installing or using these versions of the dtxtools package. It is recommended to audit dependencies for the presence of dtxtools and remove or replace it with a trusted alternative. Monitor package sources carefully and prefer packages with verified authorship and metadata. Since this is not a cloud service, remediation depends on user action to remove or avoid the malicious package. Patch status is not yet confirmed — check the vendor advisory or trusted security sources for updates.
MAL-2026-6514: Malicious code in dtxtools (npm)
Description
The dtxtools npm package versions 1.0.0 and 1.0.1 contain malicious code that executes during installation. Specifically, a postinstall script performs a recursive search for database client binaries on the filesystem and exfiltrates the findings via an unencrypted HTTP request to an attacker-controlled domain. The package disguises itself as a benign string utility library but conducts unauthorized reconnaissance and data exfiltration unrelated to its advertised functionality. The author and repository metadata are empty, indicating a disposable or decoy package. No official patch or remediation is currently documented.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The dtxtools package versions 1.0.0 and 1.0.1 on npm include a postinstall lifecycle script that automatically runs upon installation. This script searches recursively for database client binaries such as mysql, mongo, mongosh, psql, redis-cli, sqlite3, and elasticsearch on the victim's filesystem. It writes the results to a local file and then sends this information via plain HTTP POST to a Burp Collaborator (OAST) domain controlled by an attacker. The package's metadata fields like author, repository, bugs, and homepage are empty, consistent with a disposable or malicious decoy package. The package advertises itself as a string utility library but performs unauthorized reconnaissance and data exfiltration during installation. This behavior was identified by Amazon Inspector and the OpenSSF Package Analysis project, which flagged the package as malicious.
Potential Impact
The malicious postinstall script can lead to unauthorized reconnaissance of the victim's environment by identifying installed database clients. The exfiltration of this information to an attacker-controlled domain can facilitate further targeted attacks or data breaches. Since the data is sent over unencrypted HTTP, it also exposes the victim to potential interception. The presence of such a package in a software supply chain can compromise system confidentiality and integrity. There is no indication of remote code execution beyond the postinstall script or persistence mechanisms, but the reconnaissance and data leakage alone represent a significant security risk.
Mitigation Recommendations
No official patch or remediation is currently documented for dtxtools versions 1.0.0 and 1.0.1. Users and organizations should avoid installing or using these versions of the dtxtools package. It is recommended to audit dependencies for the presence of dtxtools and remove or replace it with a trusted alternative. Monitor package sources carefully and prefer packages with verified authorship and metadata. Since this is not a cloud service, remediation depends on user action to remove or avoid the malicious package. Patch status is not yet confirmed — check the vendor advisory or trusted security sources for updates.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- MAL-2026-6514
- Osv Schema Version
- 1.7.4
- Aliases
- []
- Ecosystems
- ["npm"]
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a3ef79427e9c79719ff8d99
Added to database: 06/26/2026, 22:05:08 UTC
Last enriched: 06/26/2026, 22:19:19 UTC
Last updated: 06/26/2026, 22:19:19 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.