MAL-2026-10501

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/filewisee/MAL-2026-10501.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10501
Published
2026-07-13T21:47:47Z
Modified
2026-07-13T22:01:56.481521885Z
Summary
Malicious code in filewisee (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (758d74e75086465a01c3837210bf5bafe22d86e6f087be963e39ccd62ed0b034)

The package presents itself as a date-formatting utility and re-exports plausible date APIs (format, formatISO, formatDate, formatTime) from dist/index.js, but also exports formatd from dist/file.js. When formatd is invoked, it fetches an opaque binary from the anonymous file host pixeldrain.com (https://pixeldrain.com/u/byLkaSJR), writes the bytes to ~/.drc/dr, chmods the file 0o755, and spawns it with caller-supplied args using stdio:'ignore' and windowsHide:true so the child process is hidden. There is no hash or signature verification on the downloaded binary, the host is anonymous and unrelated to the publisher, the download target is unrelated to date formatting, and the binary is staged in a hidden dot-directory under the user's home. The cover-story API surface (formatd named to blend with format/formatDate/formatTime) increases the chance consumers invoke the dropper believing it is a date helper.

Database specific
{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-07-13T21:47:56Z",
            "versions": [
                "0.1.0"
            ],
            "sha256": "758d74e75086465a01c3837210bf5bafe22d86e6f087be963e39ccd62ed0b034",
            "id": "IN-MAL-2026-010332",
            "source": "amazon-inspector",
            "import_time": "2026-07-13T21:49:34.392173849Z"
        },
        {
            "modified_time": "2026-07-13T21:47:47Z",
            "versions": [
                "0.1.1"
            ],
            "sha256": "abbbaa17e182ec6f9f9bdb19432d3454c1f1e2ac1a6390051e793e0b68a35c1e",
            "id": "IN-MAL-2026-010331",
            "source": "amazon-inspector",
            "import_time": "2026-07-13T21:49:34.332355596Z"
        }
    ]
}
References
Credits

Affected packages

npm / filewisee

Package

Affected ranges

Affected versions

0.*
0.1.0
0.1.1

Database specific

indicators
{
    "evidence_files": [
        {
            "tlsh": "1a218e6b1cf7bb6941739494172be417139a80176788c844fb1dcf30bf4960d94e1bd8",
            "sha256": "520e70dd8c3b706a84550b3fc9c91de5d42a5a3fe3cc8463470bf8f173da919b",
            "path": "dist/file.js"
        },
        {
            "tlsh": "b921eb22a79603229a3305d0592ec3500fbb02d7bd5b5c01063e9f63bbe7480d0896ee",
            "sha256": "edeee57e54c6bb46f95b1eed9cd5d1676c3f7fb934b22248b4ac2bdb9c24209c",
            "path": "dist/index.js"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha1": "34312f10a97e0e85ff2063dabd96eda05b701037",
                "sha512_sri": "sha512-lzHKltkfWXj5E02V2+jGhpv/e8vlIswYXvUupeFMr8Ijol/YOpbKRhWuBYJYGMedEL7CcGxxUmf/AVK1++UAxQ=="
            },
            "filename": "filewisee-0.1.0.tgz"
        }
    ]
}
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/filewisee/MAL-2026-10501.json"