MAL-2026-10101

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/date-kit-lite/MAL-2026-10101.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10101
Published
2026-07-09T23:10:21Z
Modified
2026-07-09T23:47:01.172310606Z
Summary
Malicious code in date-kit-lite (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (ce3951661e57807f08fd4dcbf281c14dd1e596907e1a356a3ec503e45fe3b8af)

The package advertises itself as a lightweight date-formatting utility but its postinstall lifecycle script executes the id command and transmits the output (installer uid/gid/groups) to a hardcoded bare-IP endpoint at http://155.190.124.243:6788/?cmd_output=<encoded>. Delivery is attempted through three redundant transports (node http.get, curl, wget) with swallowed errors to maximize successful exfiltration. The beacon also gives the operator installer IP, User-Agent, and host identity for follow-on targeting. This behavior fires automatically on npm install, is entirely unrelated to the declared date-utility purpose, and uses plain HTTP to a bare IP with no legitimate justification. The package name and generic description mimic well-known date helpers (date-fns, dayjs) while the author field is a self-referential placeholder, consistent with a disguised dropper targeting incidental installers.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "ce3951661e57807f08fd4dcbf281c14dd1e596907e1a356a3ec503e45fe3b8af",
            "id": "IN-MAL-2026-009602",
            "modified_time": "2026-07-09T23:10:21Z",
            "versions": [
                "1.0.0"
            ],
            "import_time": "2026-07-09T23:30:56.403044571Z",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / date-kit-lite

Package

Affected ranges

Affected versions

1.*
1.0.0

Database specific

indicators
{
    "evidence_files": [
        {
            "tlsh": "7a01cbee21e163b0a8a358c6db2b2429654be0073a5dafd8bedc47160f5a11843326e4",
            "sha256": "3268a973540ef67255c402867f3b189b6a5ac912952d49cd408a09fe622f518d",
            "path": "postinstall.js"
        },
        {
            "sha256": "2692ade90fd34d4a587e4b2660a1daa07915a765c5b0536be3208a8de6f789cb",
            "tlsh": "95e022300922562326c586e6ed124946ad210e23129cbc1823e3512883ceb7a94fd22a",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "filename": "date-kit-lite-1.0.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-aSjayzJemoS8Wdoh3okmQSf3DZdxj/I5KjWX9r1BRf8yAhp9Nw7gj7zzg1i+P6rq+9eonhrO1hSsN+MAGbKYfw==",
                "sha1": "7506b3a805f38f813fd521212472b03b8ca824da"
            }
        }
    ]
}
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/date-kit-lite/MAL-2026-10101.json"