MAL-2026-5979

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/easy-day-js/MAL-2026-5979.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5979

Published

2026-06-17T04:15:30Z

Modified

2026-06-17T06:02:03.216081543Z

Summary

Malicious code in easy-day-js (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (8602a5a154b50bb6351900a08fa45d7814c0f152e4379dcae53ccfa0b83db891)

Package name 'easy-day-js' impersonates the popular 'dayjs' library, copying dayjs's author ('iamkun'), homepage (https://day.js.org), repository URL, description, and version number (1.11.22 is a real dayjs release), and bundles dayjs.min.js as main to look legitimate. package.json adds a postinstall hook 'node setup.cjs --no-warnings' that does not exist in real dayjs. setup.cjs is heavily obfuscated with an obfuscator.io-style rotated base64 string array (a00x23bf) and decoder (a00x1a24) hiding API names ('node:childprocess', 'node:fs', 'node:crypto', 'spawn', 'writeFileSync'). At install time it sets NODETLSREJECTUNAUTHORIZED='0' to disable TLS verification, writes the install directory path to os.tmpdir()/.pkghistory and an encoded buffer to os.tmpdir()/.pkglogs (staging metadata for the second stage), fetches a JavaScript payload from https://23.254.164.92:8000/update/49890878, writes it to a random hex-named file in os.tmpdir(), spawns it detached with the installer's node interpreter (process.execPath, stdio:'ignore', unref()), and then unlinks setup.cjs to cover its tracks. Classic install-time remote-code-execution dropper combined with brand impersonation of dayjs.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-006871",
            "import_time": "2026-06-17T05:45:41.475148853Z",
            "source": "amazon-inspector",
            "versions": [
                "1.11.22"
            ],
            "modified_time": "2026-06-17T04:15:30Z",
            "sha256": "8602a5a154b50bb6351900a08fa45d7814c0f152e4379dcae53ccfa0b83db891"
        }
    ]
}

References

https://www.npmjs.com/package/easy-day-js/v/1.11.22

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / easy-day-js

Package

Name: easy-day-js; View open source insights on deps.dev
Purl: pkg:npm/easy-day-js

Affected ranges

Affected versions

1.*

1.11.22

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/easy-day-js/MAL-2026-5979.json"

indicators

{
    "package_integrity": [
        {
            "filename": "easy-day-js-1.11.22.tgz",
            "hashes": {
                "sha1": "4727365754cc41e4ba5a483f328289fd09a54651",
                "sha512_sri": "sha512-JkJVZNSsFBmlAXKECNErDjK+swkGYMuEnCW1wLYlHMl3Mfx16725kJ99f3261B0Bk7gJIGEZZZ+4TPAXUkTmcw=="
            }
        }
    ],
    "evidence_files": [
        {
            "path": "setup.cjs",
            "sha256": "b122a9873bedf145ae2a7fd024b5f309007dbb025149f4dc4ac3f7e4f32a36a4",
            "tlsh": "ec9167adaf54529173993377bb3a34c2f007c83535d10497d25de7b1acc96a0daa0971"
        },
        {
            "path": "package.json",
            "sha256": "c38954e85bf5433e61e7c8f4230336695624ae88b6953afabf7bf817aa91b638",
            "tlsh": "6451d035cd298d672ac441bd74acc28255b1c9a38c56f81c73aa535c8f6d62f20bef2d"
        }
    ]
}