MAL-2026-6308

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@lazyutil/dater/MAL-2026-6308.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6308

Published

2026-06-22T12:00:00Z

Modified

2026-06-23T19:46:25.344529318Z

Summary

Malicious code in @lazyutil/dater (npm)

Details

@lazyutil/dater (malicious versions 0.8.1, 0.9.2, 0.9.3, and 0.9.4, published by lazyutil-78muyg@wshu.net) is a trojanized npm package belonging to the wshu.net credential-stealer campaign. The campaign published trojanized look-alike utility packages across 12+ scopes whose publisher accounts all follow the pattern <scope>-<6 random chars>@wshu.net, with every scope created on June 4, 2026 in a ~40-minute burst. This package masquerades as a date library and ships real, working utility code so it passes a glance, while bundling a much larger malicious payload (lib/tzinit.js in the earliest variant, dist/lib/tzinit.cjs thereafter). package.json declares a postinstall hook (e.g. "node ./dist/lib/tzinit.cjs") that runs the payload automatically on npm install. The payload is heavily obfuscated with javascript-obfuscator (hex-named identifiers, a while (!![]) array-rotation IIFE, base64+RC4 string decoding, control-flow flattening, and runtime-decrypted module resolution to stay out of the static module graph). At runtime it is a Chromium browser credential stealer: it reads Chromium Cookies and Login Data and decrypts saved passwords protected by AES-256-GCM (the v10/v11 app-bound key schemes), then exfiltrates them over HTTPS using a spoofed Mozilla/5.0 user agent. Consistent with the campaign, the dangerous versions sit in mid-ranges while the latest tag (0.9.5) points to a scrubbed release with an empty scripts block. The 0.9.4 payload blob is byte-identical to @glitchpad/throttler@2.2.3 from the same campaign. Malicious payload dist/lib/tzinit.cjs (0.9.4) SHA-256: 68b4fe54a4c05cd0115535ebd4aa8d3cccb03ea5a685f440314814ba1b89e875.

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (362ed214c96b3a091355472cb7d03ca7dcb1c3b1c36daede92d4e7a04027cb8a)

@lazyutil/dater is a trojanized repackage of the legitimate timezonecomplete library. Its package.json declares postinstall: node./dist/lib/tzinit.cjs, which runs automatically on npm install. tzinit.cjs is a 263 KB obfuscator.io-protected file (string-array RC4/XOR + control-flow flattening) that uses AES-256-GCM with a hardcoded key/IV/AAD to decrypt an embedded URL and host, then performs an HTTP GET to fetch a binary, writes it to disk, chmods it executable, and spawns it via process.execPath or sh -c. The dropper is platform-gated for win32/darwin/linux, retries with backoff, and re-execs the package's process. None of this is required for a date/timezone library and the legitimate upstream has neither a postinstall nor a tzinit.cjs. Trojanization signals: package description is copied verbatim from timezonecomplete, the repository field still points at the upstream author's git URL (github.com/rogierschouten/timezonecomplete), homepage points at a placeholder github.com/lazyutil, and author is a fresh ProtonMail identity unrelated to the original maintainer. Installing this package gives an attacker arbitrary code execution on the installer's machine.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "1e60ea16a2304b00c24feeb56b14387e7b137e4e832eebeef61536bbdc30ee64",
            "id": "IN-MAL-2026-007295",
            "source": "amazon-inspector",
            "modified_time": "2026-06-23T16:22:40Z",
            "versions": [
                "0.9.2"
            ],
            "import_time": "2026-06-23T16:54:15.639200311Z"
        },
        {
            "sha256": "3085d5883cb7184bb57024ffe4bb1c5760ea3b120ce4b4dee03c874b3cbc62d4",
            "id": "IN-MAL-2026-007298",
            "source": "amazon-inspector",
            "modified_time": "2026-06-23T16:22:43Z",
            "versions": [
                "0.8.1"
            ],
            "import_time": "2026-06-23T16:54:15.940425918Z"
        },
        {
            "sha256": "362ed214c96b3a091355472cb7d03ca7dcb1c3b1c36daede92d4e7a04027cb8a",
            "import_time": "2026-06-23T16:54:15.517199005Z",
            "source": "amazon-inspector",
            "modified_time": "2026-06-23T16:22:37Z",
            "versions": [
                "0.9.4"
            ],
            "id": "IN-MAL-2026-007293"
        },
        {
            "sha256": "af4babebb1ad40ecc1260f2036da3052003e645d7edfdcc5d03bd6105748659d",
            "import_time": "2026-06-23T16:54:15.586697918Z",
            "source": "amazon-inspector",
            "modified_time": "2026-06-23T16:22:38Z",
            "versions": [
                "0.9.5"
            ],
            "id": "IN-MAL-2026-007294"
        },
        {
            "sha256": "c55953491fa63e65d06f8db1855ea4ae815244b2c0b7590f609ca0b460928181",
            "import_time": "2026-06-23T16:54:15.828809301Z",
            "source": "amazon-inspector",
            "modified_time": "2026-06-23T16:22:43Z",
            "versions": [
                "0.9.3"
            ],
            "id": "IN-MAL-2026-007297"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com
- SafeDep - FINDER
- - https://safedep.io

Affected packages

npm / @lazyutil/dater

Package

Name: @lazyutil/dater; View open source insights on deps.dev
Purl: pkg:npm/%40lazyutil%2Fdater

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.8.1

0.9.2

0.9.3

0.9.4

0.9.5

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@lazyutil/dater/MAL-2026-6308.json"

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "tlsh": "6e445151a3c9bc8012479f767b5ef2e9fa290aac745408afd404bd54bbfa507dbe0630",
            "sha256": "68b4fe54a4c05cd0115535ebd4aa8d3cccb03ea5a685f440314814ba1b89e875",
            "path": "dist/lib/tzinit.cjs"
        },
        {
            "sha256": "8b768658e4e12b0dd77170bd4d14e7ebc16927db68bdddcc954d8544f889bb31",
            "tlsh": "67218c3cc4354d633ee87ad4ac6a7845677148074e547d1432cb04ac8b8e2eb52bf2ee",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "filename": "dater-0.9.2.tgz",
            "hashes": {
                "sha1": "2f7e922ccb07ac36f1c7205d7a7cee133a1fb98f",
                "sha512_sri": "sha512-WW55u7N8p6FY4r0DWyRcGWebN3XxsjdHOOLfiO4FTNrdyv99yxMoPtJ8LaXsAxobWsBSzMQOufEvSmENqo4KwA=="
            }
        }
    ]
}