MAL-2026-6722

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/date-fns-lite/MAL-2026-6722.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-6722
Published
2026-07-01T21:19:37Z
Modified
2026-07-01T22:16:51.380487164Z
Summary
Malicious code in date-fns-lite (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (4694a079d83e33dcee7f87140c41737009d9f0b19f351c23f2ae3dbce9a47a51)

date-fns-lite@1.0.10 presents as a lightweight date-formatting utility but ships a malicious postinstall.js that runs automatically on npm install. The script harvests installer-side secrets — AWS credentials (~/.aws), GCP application-default credentials, Azure tokens, kubeconfig, SSH private keys and authorized_keys, /etc/shadow, and shell history — using /proc/1/root traversal to reach the host filesystem from inside a container. It also queries the AWS IMDS endpoint (http://169.254.169.254/latest/meta-data/iam/security-credentials/) and GCP metadata service for instance IAM credentials, probes the Docker socket via /proc/1/root/var/run/docker.sock to enumerate containers, and performs internal-network reconnaissance (default-gateway detection, /24 ping sweep, port probes on 22/80/443/3306/6379/9200/27017). The aggregated report is POSTed to a hardcoded bare-IP endpoint at http://115.190.124.243:9082/callback over plain HTTP. The package name mimics the widely-used date-fns library, and index.js contains a small plausible-looking date formatter as cover for the postinstall payload. Installing this package on any host — especially in CI or a container with host mounts — will disclose cloud credentials, SSH keys, and an internal-network map to the attacker.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "1.0.5"
            ],
            "sha256": "0eea3459d7924894dd7a609efe669b9e762bb88e4f939414d6f53fe16788e29f",
            "modified_time": "2026-07-01T21:20:34Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-007947",
            "import_time": "2026-07-01T22:03:01.364950268Z"
        },
        {
            "versions": [
                "1.0.9"
            ],
            "sha256": "9853105f0307399f6f3f5e7eb836394fd4e73d319237033ab69966466a27342f",
            "source": "amazon-inspector",
            "modified_time": "2026-07-01T21:19:53Z",
            "id": "IN-MAL-2026-007942",
            "import_time": "2026-07-01T22:03:01.123641375Z"
        },
        {
            "versions": [
                "1.0.11"
            ],
            "sha256": "9af195b8341421ebe7b8f512aad362785fac8589348e8bdd8f88f7722abb40c5",
            "source": "amazon-inspector",
            "modified_time": "2026-07-01T21:19:37Z",
            "id": "IN-MAL-2026-007940",
            "import_time": "2026-07-01T22:03:01.017391333Z"
        },
        {
            "versions": [
                "1.0.0"
            ],
            "sha256": "ce45aef4b931fbf32e28f1b8faba0ddcb50ec7d31fd4bed58247df5803d1bf6d",
            "source": "amazon-inspector",
            "modified_time": "2026-07-01T21:21:21Z",
            "id": "IN-MAL-2026-007953",
            "import_time": "2026-07-01T22:03:01.745944098Z"
        },
        {
            "versions": [
                "1.0.1"
            ],
            "sha256": "0f9edf3018d73debfdf5bd44b17c05736bfcf41c6c5af81cbd50f505a9844ca6",
            "modified_time": "2026-07-01T21:21:14Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-007952",
            "import_time": "2026-07-01T22:03:01.706103651Z"
        },
        {
            "versions": [
                "1.0.6"
            ],
            "sha256": "2e46efde053535d5d1b8c10671e3ada0985ee5cf1d3774925f4d78f5f955bfbd",
            "modified_time": "2026-07-01T21:20:25Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-007946",
            "import_time": "2026-07-01T22:03:01.328937289Z"
        },
        {
            "versions": [
                "1.0.10"
            ],
            "sha256": "4694a079d83e33dcee7f87140c41737009d9f0b19f351c23f2ae3dbce9a47a51",
            "source": "amazon-inspector",
            "modified_time": "2026-07-01T21:20:09Z",
            "id": "IN-MAL-2026-007944",
            "import_time": "2026-07-01T22:03:01.235428566Z"
        },
        {
            "versions": [
                "1.0.8"
            ],
            "sha256": "b081b25d3ed80e6fb14012cd428e6b60c1ed7b77ce769f1510f73a2195a1f985",
            "source": "amazon-inspector",
            "modified_time": "2026-07-01T21:20:16Z",
            "id": "IN-MAL-2026-007945",
            "import_time": "2026-07-01T22:03:01.297111308Z"
        },
        {
            "versions": [
                "1.0.2"
            ],
            "sha256": "ca6dd98e3ea21871ac47c5ff8e0bdacad9543caa8094c1a709666e559dd6cc29",
            "modified_time": "2026-07-01T21:21:06Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-007951",
            "import_time": "2026-07-01T22:03:01.619286475Z"
        },
        {
            "versions": [
                "1.0.7"
            ],
            "sha256": "f3318b0646ee273862994f3f82e9f10f5509bad27643f60d737407751819e3eb",
            "modified_time": "2026-07-01T21:20:58Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-007950",
            "import_time": "2026-07-01T22:03:01.517320725Z"
        },
        {
            "versions": [
                "1.0.3"
            ],
            "sha256": "35d8ec9fe8175187d954aa5990d138efda2b727b12a014cda50cdc094a0241c5",
            "modified_time": "2026-07-01T21:20:49Z",
            "source": "amazon-inspector",
            "import_time": "2026-07-01T22:03:01.469652495Z",
            "id": "IN-MAL-2026-007949"
        },
        {
            "versions": [
                "1.0.12"
            ],
            "sha256": "8d10a0d7bcaa1ec28f749d4cb493ce930f7c59d2b59a627cf1443ebf6e5ed26e",
            "modified_time": "2026-07-01T21:20:00Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-007943",
            "import_time": "2026-07-01T22:03:01.199460609Z"
        },
        {
            "versions": [
                "1.0.4"
            ],
            "sha256": "980ccf3d2bcf2e7571c3ce0302f1c8a32667e3f57f0b49c2a2dd7b7bfc02fa28",
            "modified_time": "2026-07-01T21:20:41Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-007948",
            "import_time": "2026-07-01T22:03:01.424377839Z"
        }
    ]
}
References
Credits

Affected packages

npm / date-fns-lite

Package

Affected ranges

Affected versions

1.*
1.0.0
1.0.1
1.0.2
1.0.3
1.0.4
1.0.5
1.0.6
1.0.7
1.0.8
1.0.9
1.0.10
1.0.11
1.0.12

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "date-fns-lite-1.0.5.tgz",
            "hashes": {
                "sha512_sri": "sha512-SjGJX0jgJh+dSAy7IFbltbuap26Qn1Y/Iz/43jG3Zc3+0hILPcp8ut7rdXnl5LQpdIwecWhrOvDsOHHp5ZQy6Q==",
                "sha1": "1f6ba05d374fbacf04a92f6fb913fe6231224b39"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "e3f0715ac3e04524b506c4d4a2c3c876a1337bb0c5e845b0d222712472662abf",
            "path": "postinstall.js",
            "tlsh": "acf197657afb21245a6ad4eaa28f21123510f50b3e04ce94766c47d0bf8a0b8b6773dd"
        },
        {
            "sha256": "d44e4fd7032afcb424ecab971c0d90eed6229f25996ef9af99955630fcfb74d8",
            "path": "package.json",
            "tlsh": "1be06830082259232ac587e6ed220e477d200d23025cbc1823e3512883ceb7b98fd22e"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/date-fns-lite/MAL-2026-6722.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]