-= Per source details. Do not edit below this line.=-
Package presents itself as a trivial date-formatting utility (index.js exports a one-line ISO date helper) but ships a postinstall.js that runs automatically on npm install. The script shells out via child_process.exec to collect host reconnaissance — hostname, whoami, id, uname, pwd, /etc/os-release, HOME, SHELL, container indicators, /proc/1/cgroup, network interfaces, and running process list — base64-encodes the data, and sends it via HTTP GET to a hardcoded Burp Collaborator subdomain at pwpzhsrbtvmfqrqr7onqcwnrcii960up.oastify.com/ing?d=<base64>. The stated purpose of the package does not require any shell execution or network activity; the install-time reconnaissance beacon is unrelated to the advertised functionality.
{
"malicious-packages-origins": [
{
"id": "IN-MAL-2026-010721",
"sha256": "99bd644fd9a59518d6f77e8d76c077ffef8a2afdc7ae2b00a6ca87299879a671",
"import_time": "2026-07-16T18:54:01.154484939Z",
"modified_time": "2026-07-16T18:37:41Z",
"source": "amazon-inspector",
"versions": [
"1.0.1"
]
}
]
}[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
{
"package_integrity": [
{
"filename": "date-utils-light-1.0.1.tgz",
"hashes": {
"sha1": "173b407b350c463ecf40f4a8029879fc94b868e2",
"sha512_sri": "sha512-sHUlc2YQpugflgUhgrw9LZUoT5igdbmbLTRLRXfXiDMEA5m7Yb2QU6pXkJMd9/ms9w4/WqkEUrWbld383FcgFg=="
}
}
],
"evidence_files": [
{
"tlsh": "320189f8b978d970324ad0f6b95d191738835a9f21b4ffb808478cb5819d5c410be572",
"sha256": "7b4573190bb073f2fe5e455e012fa2ee4a6547d0641ca49d30e38485e1bc6348",
"path": "postinstall.js"
},
{
"tlsh": "e6e0263888019d232ac00aa6496a8906ae509e074114781933a7201c879f67f84ff35d",
"sha256": "f8da84b39ece6ab2b13c469c348898418c13c20b56483deab8a954d94127e22b",
"path": "package.json"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/date-utils-light/MAL-2026-10731.json"