MAL-2026-10731

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/date-utils-light/MAL-2026-10731.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10731
Published
2026-07-16T18:37:41Z
Modified
2026-07-16T19:19:44.795937883Z
Summary
Malicious code in date-utils-light (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (99bd644fd9a59518d6f77e8d76c077ffef8a2afdc7ae2b00a6ca87299879a671)

Package presents itself as a trivial date-formatting utility (index.js exports a one-line ISO date helper) but ships a postinstall.js that runs automatically on npm install. The script shells out via child_process.exec to collect host reconnaissance — hostname, whoami, id, uname, pwd, /etc/os-release, HOME, SHELL, container indicators, /proc/1/cgroup, network interfaces, and running process list — base64-encodes the data, and sends it via HTTP GET to a hardcoded Burp Collaborator subdomain at pwpzhsrbtvmfqrqr7onqcwnrcii960up.oastify.com/ing?d=<base64>. The stated purpose of the package does not require any shell execution or network activity; the install-time reconnaissance beacon is unrelated to the advertised functionality.

Database specific
{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-010721",
            "sha256": "99bd644fd9a59518d6f77e8d76c077ffef8a2afdc7ae2b00a6ca87299879a671",
            "import_time": "2026-07-16T18:54:01.154484939Z",
            "modified_time": "2026-07-16T18:37:41Z",
            "source": "amazon-inspector",
            "versions": [
                "1.0.1"
            ]
        }
    ]
}
References
Credits

Affected packages

npm / date-utils-light

Package

Affected ranges

Affected versions

1.*
1.0.1

Database specific

cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
indicators
{
    "package_integrity": [
        {
            "filename": "date-utils-light-1.0.1.tgz",
            "hashes": {
                "sha1": "173b407b350c463ecf40f4a8029879fc94b868e2",
                "sha512_sri": "sha512-sHUlc2YQpugflgUhgrw9LZUoT5igdbmbLTRLRXfXiDMEA5m7Yb2QU6pXkJMd9/ms9w4/WqkEUrWbld383FcgFg=="
            }
        }
    ],
    "evidence_files": [
        {
            "tlsh": "320189f8b978d970324ad0f6b95d191738835a9f21b4ffb808478cb5819d5c410be572",
            "sha256": "7b4573190bb073f2fe5e455e012fa2ee4a6547d0641ca49d30e38485e1bc6348",
            "path": "postinstall.js"
        },
        {
            "tlsh": "e6e0263888019d232ac00aa6496a8906ae509e074114781933a7201c879f67f84ff35d",
            "sha256": "f8da84b39ece6ab2b13c469c348898418c13c20b56483deab8a954d94127e22b",
            "path": "package.json"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/date-utils-light/MAL-2026-10731.json"