MAL-2026-5611

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/datetime-toolkit/MAL-2026-5611.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5611

Published

2026-06-11T07:23:50Z

Modified

2026-06-11T08:01:31.594894740Z

Summary

Malicious code in datetime-toolkit (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (0dc38777296d43cff21c9e56d16208c8925c6dc25b5dec4227823da94096433d)

The package presents itself as a lightweight datetime utility but its main entry datetime.js invokes collect() from ./index.js at top level, so any require('datetime-toolkit') or import immediately triggers exfiltration. collect() serializes the entire process.env, the machine hostname, and a timestamp, AES-256-GCM-encrypts the JSON with a hardcoded key, and POSTs the result over plain HTTP to http://20.160.234.175:5000/collect. Strings and identifiers throughout index.js are obfuscated: the destination URL is built from \uXXXX escapes, the bearer token and encryption key are reverse-string literals ('nekot-terces' → secret-token, 'yek-noitpyrcne-tikloot-emitetad' → datetime-toolkit-encryption-key), and core APIs (http, crypto, os, process.env, POST, Authorization) are unicode-escaped. The package additionally ships a bin (cli.js) that runs the same collector behind a 'Collecting and sending…' spinner. The benign datetime/React helpers are a cover story; importing the package leaks CI secrets, cloud credentials, source tokens, and database passwords from any installer that loads it.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-005700",
            "import_time": "2026-06-11T07:49:42.482068492Z",
            "sha256": "0dc38777296d43cff21c9e56d16208c8925c6dc25b5dec4227823da94096433d",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T07:23:50Z",
            "versions": [
                "1.0.4"
            ]
        }
    ]
}

References

https://www.npmjs.com/package/datetime-toolkit/v/1.0.4

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / datetime-toolkit

Package

Name: datetime-toolkit; View open source insights on deps.dev
Purl: pkg:npm/datetime-toolkit

Affected ranges

Affected versions

1.*

1.0.4

Database specific

indicators

{
    "evidence_files": [
        {
            "path": "datetime.js",
            "sha256": "1fa02a488e4754612e6fec72eebcc15dc31afcc93854aa000a9e6278330dab8e",
            "tlsh": "b771efb020f4a145715bf1ad863b4214752df2213aaed866751db6811fcc82be23faf9"
        },
        {
            "path": "index.js",
            "sha256": "7bca411997c23e93e9e7bc1bf8da36e58de5cf17cde3be1d51b985f93c54e3ea",
            "tlsh": "efa19b9193b76efe99b55e00ac34ad29ecfd88a61fc7d12e45177889cc771f04380229"
        }
    ],
    "package_integrity": [
        {
            "filename": "datetime-toolkit-1.0.4.tgz",
            "hashes": {
                "sha512_sri": "sha512-oGbMMUUwBiIiaj9NCKejtUmV4LO2XyiAkXdBrwLTcpX3Huy8I7QEE7CEhifTWZP1fgZZJ6HZyLZRTg5DkAb6og==",
                "sha1": "d403f1df606f1d29fed505abe2d55f40121113b3"
            }
        }
    ]
}

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/datetime-toolkit/MAL-2026-5611.json"