MAL-2026-6566
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/date-uuid/MAL-2026-6566.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-6566
- Published
- 2026-06-29T04:09:22Z
- Modified
- 2026-06-29T05:16:44.174100656Z
- Summary
- Malicious code in date-uuid (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (58dffbe61370f78deed5bacbc8f6bc46a8a989f03da218643a41b52ed025fa6a)
Package advertised as a UUIDv7 helper, but on require()/import it auto-invokes extractDateISO() in bootstrap.js, which reads README.md from process.cwd(), extracts two specific lines (120 and 123), and base64-decodes them after prepending 'aH' and inserting 'Rz' to reconstruct an 'http...' URL (the prefix 'aHR0c' decodes to 'http'). The reconstructed URL is fetched, written to os.tmpdir() as temp<timestamp>.vbs (the '.vbs' extension is split as 'v'+'b'+'s' to evade grep), and executed via childprocess.exec. The behavior is unrelated to the advertised UUID functionality. Sourcing the payload URL from the caller's README rather than the package source decouples the attacker-controlled destination from the published artifact and enables staged/deniable deployment: a chained attack or a future README edit can change what gets executed without republishing the package. Obfuscation devices (string-splitting the script extension, base64 framing of the URL prefix) co-located with the fetch-and-exec path indicate deliberate evasion intent.
- Database specific
{ "malicious-packages-origins": [ { "import_time": "2026-06-29T05:07:05.419863182Z", "modified_time": "2026-06-29T04:09:22Z", "source": "amazon-inspector", "sha256": "58dffbe61370f78deed5bacbc8f6bc46a8a989f03da218643a41b52ed025fa6a", "ranges": [ { "events": [ { "introduced": "0" } ], "type": "SEMVER" } ], "versions": [ "1.0.1" ], "id": "IN-MAL-2026-007711" }, { "modified_time": "2026-06-29T04:09:35Z", "ranges": [ { "events": [ { "introduced": "0" } ], "type": "SEMVER" } ], "source": "amazon-inspector", "sha256": "8f8034cbe06fea0d316e5f04dc7b8f88197b6430515f02543f8b5ce964f2451f", "id": "IN-MAL-2026-007712", "versions": [ "1.0.0" ], "import_time": "2026-06-29T05:07:05.603011997Z" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / date-uuid
Package
- Name
- date-uuid
- View open source insights on deps.dev
- Purl
- pkg:npm/date-uuid
Affected ranges
- Type
- SEMVER
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Database specific
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/date-uuid/MAL-2026-6566.json"
cwes
[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
}
]
indicators
{
"package_integrity": [
{
"filename": "date-uuid-1.0.1.tgz",
"hashes": {
"sha1": "e52c8b0ce20a37c6fa70271d3a5d6935fc7cf750",
"sha512_sri": "sha512-kJkHL87mrBbbJunwQZqmh5PYgppxjz02C12vZakumPyb6a5oXr8tJOvrrfHozzQNMzZc2MJpMa5BtlMl7zy7Ww=="
}
}
],
"evidence_files": [
{
"tlsh": "81d184d06563b2528ef663704392400df69fd122392681e6fedc64812fef264e5e2edc",
"sha256": "18f4b1801146529d0b42b0166d758a637773f3e98c3e5669f5686b8a8cb827d4",
"path": "lib/store.js"
}
]
}