MAL-2026-10700

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/time-format-kit/MAL-2026-10700.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10700
Published
2026-07-16T14:26:20Z
Modified
2026-07-16T19:20:01.084577502Z
Summary
Malicious code in time-format-kit (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (168d334d742003cf94d8b87ba56cd72694081ade01f6814062e58ebdc47d8594)

On npm install, the package's postinstall script decodes base64-encoded shell payloads and executes them via an obfuscated childprocess.exec lookup (require('ch'+'il'+'dp'+'rocess')['e'+'xec']). The shell payload reads ~/.aws/credentials, ~/.ssh/idrsa, ~/.ssh/authorizedkeys, ~/.ssh/knownhosts, ~/.bashhistory, the full process environment, and host identifiers (hostname, whoami, id, sudo -l), then POSTs the base64-encoded contents over plain HTTP to a hardcoded Burp Collaborator subdomain at pwpzhsrbtvmfqrqr7onqcwnrcii960up.oastify.com. Additional payloads issue curl requests through the installer host to http://tst.woa.com/flag.html and http://tst.woa.com/ssrf_forward.php with an oastify-subdomain host parameter, and POST the response bodies back to the same collaborator endpoint, using the installer as an SSRF relay. The package name ('time-format-kit') has no functional relationship to the observed behavior.

Source: ossf-package-analysis (013929714a8a46ad664ac923c9ce315df1b9351993cc7d2d06a325d8f0c49009)

The OpenSSF Package Analysis project identified 'time-format-kit' @ 1.0.2 (npm) as malicious.

It is considered malicious because:

  • The package communicates with a domain associated with malicious activity.

  • The package executes one or more commands associated with malicious behavior.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "013929714a8a46ad664ac923c9ce315df1b9351993cc7d2d06a325d8f0c49009",
            "versions": [
                "1.0.2"
            ],
            "source": "ossf-package-analysis",
            "modified_time": "2026-07-16T14:26:20Z",
            "import_time": "2026-07-16T14:43:39.526044543Z"
        },
        {
            "source": "amazon-inspector",
            "versions": [
                "1.0.0"
            ],
            "sha256": "720cc381014fc2e82f745dc2709b894652cd25e1ee4889e6798d05a598b19623",
            "id": "IN-MAL-2026-010690",
            "modified_time": "2026-07-16T18:29:39Z",
            "import_time": "2026-07-16T18:53:59.336248897Z"
        },
        {
            "modified_time": "2026-07-16T18:33:24Z",
            "versions": [
                "1.0.2"
            ],
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-010694",
            "sha256": "d50a73d9427a1765efc9ef52755ba856343a936a0fd349c83030bebb76870041",
            "import_time": "2026-07-16T18:53:59.552273227Z"
        },
        {
            "source": "amazon-inspector",
            "versions": [
                "1.0.1"
            ],
            "sha256": "168d334d742003cf94d8b87ba56cd72694081ade01f6814062e58ebdc47d8594",
            "id": "IN-MAL-2026-010696",
            "modified_time": "2026-07-16T18:33:43Z",
            "import_time": "2026-07-16T18:53:59.679462897Z"
        }
    ]
}
References
Credits

Affected packages

npm / time-format-kit

Package

Affected ranges

Affected versions

1.*
1.0.0
1.0.1
1.0.2

Database specific

cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]
indicators
{
    "package_integrity": [
        {
            "filename": "time-format-kit-1.0.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-s1h8hAvriCVPjO57ENXZ794AtMSVbTW2x3CwZ0Z20YEQ9cNRTWYwsFpA+OGGrBhF7wer5dtBJo3FTc/ObjAUUQ==",
                "sha1": "53b7f8d01a1ade3045d76a7daab84e03a04e8717"
            }
        }
    ],
    "evidence_files": [
        {
            "path": "postinstall.js",
            "sha256": "c97edb081f43d718921d1036194d8a6f6d0fe947f3a0d6335fab9634f2793a29",
            "tlsh": "647123bebd52b20c9b92350db34e1c8d0ae0501b746159b91d866e6093af07a9ccc23b"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/time-format-kit/MAL-2026-10700.json"