-= Per source details. Do not edit below this line.=-
The package is published as a 'simple date formatting utility' but ships a postinstall payload that, on npm install, runs a curl pipeline against cloud instance-metadata services to harvest temporary IAM credentials and internal SSRF data, then POSTs the collected output to an attacker-controlled out-of-band host. Specifically, postinstall.js issues curls to AWS metadata at 169.254.169.254 (IAM security-credentials path), Aliyun at 100.100.100.200, Tencent at metadata.tencentyun.com / 169.254.0.23, and Meituan-internal mtsrc-test.sankuai.com, writes the responses to /tmp/aws.txt, /tmp/ali.txt, /tmp/tx.txt, /tmp/tx2.txt, and uploads them via curl -X POST to https://h4mx6b7krgzarfehbutwabxbu20tojc8.oastify.com/metadata along with a listing of /data/. package.json declares "postinstall": "node postinstall.js", so the harvest fires automatically on default install. On any cloud build host or CI runner this leaks role credentials with full AWS/Aliyun/Tencent access. The advertised purpose mismatches the shipped behavior (index.js is a one-line hello stub), confirming the package is a lure for credential theft, not a date utility.
The OpenSSF Package Analysis project identified 'zer0one-dnslog' @ 1.0.0 (npm) as malicious.
It is considered malicious because:
{
"malicious-packages-origins": [
{
"versions": [
"1.0.0"
],
"sha256": "61ff41f8e8f8f87ab7d1d60d8bed288957cbfa3352dfc6478b12f628c93c51c9",
"source": "ossf-package-analysis",
"modified_time": "2026-06-08T02:31:13Z",
"import_time": "2026-06-09T12:03:47.411415779Z"
},
{
"versions": [
"1.0.4"
],
"sha256": "c2cc8de5d9d6de7b0ab31f591bd6418cc0d482117f5f952df04deaba89672134",
"source": "amazon-inspector",
"modified_time": "2026-06-10T23:56:17Z",
"import_time": "2026-06-11T00:00:59.840527467Z",
"id": "IN-MAL-2026-005335"
},
{
"versions": [
"1.0.3"
],
"sha256": "e9add80ac470cd19bebab26fe48f5a57944ceb11e4f5f5580c45b1b1055da86a",
"modified_time": "2026-06-10T23:56:22Z",
"source": "amazon-inspector",
"import_time": "2026-06-11T00:00:59.934183599Z",
"id": "IN-MAL-2026-005336"
},
{
"versions": [
"1.0.6"
],
"sha256": "14c7974b91fefdaeda12ecae9ba56b695a3175660a5b909e1fd1d690ac00b333",
"source": "amazon-inspector",
"modified_time": "2026-06-10T23:56:07Z",
"import_time": "2026-06-11T00:00:59.642317482Z",
"id": "IN-MAL-2026-005333"
},
{
"versions": [
"1.0.0"
],
"sha256": "1737c20fc87ad17964764d878c29cd4aa0904cd89167b4a75a047dbea57ed181",
"modified_time": "2026-06-10T23:56:38Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-005340",
"import_time": "2026-06-11T00:01:00.437728685Z"
},
{
"versions": [
"1.0.2"
],
"sha256": "3436b4a0b68bee759a63e400555a990d224dc978a19ddcfdb9b94c2dd96d986f",
"source": "amazon-inspector",
"modified_time": "2026-06-10T23:56:26Z",
"import_time": "2026-06-11T00:01:00.016830668Z",
"id": "IN-MAL-2026-005337"
},
{
"versions": [
"1.0.7"
],
"sha256": "903c45d49e6716373a67196c41e8acfbf8afa3320a635380ffe3403e8f127605",
"source": "amazon-inspector",
"modified_time": "2026-06-10T23:56:01Z",
"import_time": "2026-06-11T00:00:59.453854283Z",
"id": "IN-MAL-2026-005332"
},
{
"versions": [
"1.0.1"
],
"sha256": "02da6de040acd0c673cf660c84536fb07f0ef7d1e4c15a0159dd27e8e0466993",
"modified_time": "2026-06-10T23:56:32Z",
"source": "amazon-inspector",
"import_time": "2026-06-11T00:01:00.117732991Z",
"id": "IN-MAL-2026-005338"
},
{
"versions": [
"1.0.8"
],
"sha256": "3714936a86eec93a75462059eb29f23ceaefec05fd66d658ddc6baf15470d8b4",
"modified_time": "2026-06-10T23:55:31Z",
"source": "amazon-inspector",
"import_time": "2026-06-11T00:00:59.3813364Z",
"id": "IN-MAL-2026-005331"
},
{
"versions": [
"1.0.0"
],
"sha256": "75a6ef3f1d10306e18575a6cab188fdece0b2343588dec03968b65288190c0c0",
"modified_time": "2026-06-10T23:56:37Z",
"source": "amazon-inspector",
"import_time": "2026-06-11T00:01:00.360751495Z",
"id": "IN-MAL-2026-005339"
},
{
"versions": [
"1.0.5"
],
"sha256": "929b37abcbef3fb43b3aaeec29e917240e6a69c5dbd84a64082f09df1b97dee7",
"modified_time": "2026-06-10T23:56:12Z",
"source": "amazon-inspector",
"import_time": "2026-06-11T00:00:59.735399565Z",
"id": "IN-MAL-2026-005334"
},
{
"versions": [
"1.0.9"
],
"sha256": "a8112adecee9cb8de528b88755300c268ec9a5cd2d2d427f951d23cbfd961abc",
"modified_time": "2026-06-10T23:55:26Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-005330",
"import_time": "2026-06-11T00:00:59.306647963Z"
}
]
}{
"package_integrity": [
{
"filename": "zer0one-dnslog-1.0.4.tgz",
"hashes": {
"sha512_sri": "sha512-irhcP/bb+q64hXZfeIu+ni6IMrB5s3+iet0HA3pGRdM11Bx7zULoI8D/JU5Ufa/6+fR+8oFs0gZHVwdGTkCzUQ==",
"sha1": "7ec6f9c4c525b147f5c476dbe5f9a9d0130a3982"
}
}
],
"evidence_files": [
{
"sha256": "e343aa6479e29bc61959e5c94c9c684bfbab4e312318b403f6382b55568c7e83",
"path": "postinstall.js",
"tlsh": "35016d983621be367e858f79d369030eb401f95b1fc0bb8481a61cf04d49e61b069b08"
}
],
"domains": [
"webhook.site"
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/zer0one-dnslog/MAL-2026-5366.json"
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]