-= Per source details. Do not edit below this line.=-
The package presents itself as a date-formatting utility and re-exports plausible date APIs (format, formatISO, formatDate, formatTime) from dist/index.js, but also exports formatd from dist/file.js. When formatd is invoked, it fetches an opaque binary from the anonymous file host pixeldrain.com (https://pixeldrain.com/u/byLkaSJR), writes the bytes to ~/.drc/dr, chmods the file 0o755, and spawns it with caller-supplied args using stdio:'ignore' and windowsHide:true so the child process is hidden. There is no hash or signature verification on the downloaded binary, the host is anonymous and unrelated to the publisher, the download target is unrelated to date formatting, and the binary is staged in a hidden dot-directory under the user's home. The cover-story API surface (formatd named to blend with format/formatDate/formatTime) increases the chance consumers invoke the dropper believing it is a date helper.
{
"malicious-packages-origins": [
{
"modified_time": "2026-07-13T21:47:56Z",
"versions": [
"0.1.0"
],
"sha256": "758d74e75086465a01c3837210bf5bafe22d86e6f087be963e39ccd62ed0b034",
"id": "IN-MAL-2026-010332",
"source": "amazon-inspector",
"import_time": "2026-07-13T21:49:34.392173849Z"
},
{
"modified_time": "2026-07-13T21:47:47Z",
"versions": [
"0.1.1"
],
"sha256": "abbbaa17e182ec6f9f9bdb19432d3454c1f1e2ac1a6390051e793e0b68a35c1e",
"id": "IN-MAL-2026-010331",
"source": "amazon-inspector",
"import_time": "2026-07-13T21:49:34.332355596Z"
}
]
}{
"evidence_files": [
{
"tlsh": "1a218e6b1cf7bb6941739494172be417139a80176788c844fb1dcf30bf4960d94e1bd8",
"sha256": "520e70dd8c3b706a84550b3fc9c91de5d42a5a3fe3cc8463470bf8f173da919b",
"path": "dist/file.js"
},
{
"tlsh": "b921eb22a79603229a3305d0592ec3500fbb02d7bd5b5c01063e9f63bbe7480d0896ee",
"sha256": "edeee57e54c6bb46f95b1eed9cd5d1676c3f7fb934b22248b4ac2bdb9c24209c",
"path": "dist/index.js"
}
],
"package_integrity": [
{
"hashes": {
"sha1": "34312f10a97e0e85ff2063dabd96eda05b701037",
"sha512_sri": "sha512-lzHKltkfWXj5E02V2+jGhpv/e8vlIswYXvUupeFMr8Ijol/YOpbKRhWuBYJYGMedEL7CcGxxUmf/AVK1++UAxQ=="
},
"filename": "filewisee-0.1.0.tgz"
}
]
}
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/filewisee/MAL-2026-10501.json"