-= Per source details. Do not edit below this line.=-
date-fns-lite@1.0.10 presents as a lightweight date-formatting utility but ships a malicious postinstall.js that runs automatically on npm install. The script harvests installer-side secrets — AWS credentials (~/.aws), GCP application-default credentials, Azure tokens, kubeconfig, SSH private keys and authorized_keys, /etc/shadow, and shell history — using /proc/1/root traversal to reach the host filesystem from inside a container. It also queries the AWS IMDS endpoint (http://169.254.169.254/latest/meta-data/iam/security-credentials/) and GCP metadata service for instance IAM credentials, probes the Docker socket via /proc/1/root/var/run/docker.sock to enumerate containers, and performs internal-network reconnaissance (default-gateway detection, /24 ping sweep, port probes on 22/80/443/3306/6379/9200/27017). The aggregated report is POSTed to a hardcoded bare-IP endpoint at http://115.190.124.243:9082/callback over plain HTTP. The package name mimics the widely-used date-fns library, and index.js contains a small plausible-looking date formatter as cover for the postinstall payload. Installing this package on any host — especially in CI or a container with host mounts — will disclose cloud credentials, SSH keys, and an internal-network map to the attacker.
{
"malicious-packages-origins": [
{
"versions": [
"1.0.5"
],
"sha256": "0eea3459d7924894dd7a609efe669b9e762bb88e4f939414d6f53fe16788e29f",
"modified_time": "2026-07-01T21:20:34Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-007947",
"import_time": "2026-07-01T22:03:01.364950268Z"
},
{
"versions": [
"1.0.9"
],
"sha256": "9853105f0307399f6f3f5e7eb836394fd4e73d319237033ab69966466a27342f",
"source": "amazon-inspector",
"modified_time": "2026-07-01T21:19:53Z",
"id": "IN-MAL-2026-007942",
"import_time": "2026-07-01T22:03:01.123641375Z"
},
{
"versions": [
"1.0.11"
],
"sha256": "9af195b8341421ebe7b8f512aad362785fac8589348e8bdd8f88f7722abb40c5",
"source": "amazon-inspector",
"modified_time": "2026-07-01T21:19:37Z",
"id": "IN-MAL-2026-007940",
"import_time": "2026-07-01T22:03:01.017391333Z"
},
{
"versions": [
"1.0.0"
],
"sha256": "ce45aef4b931fbf32e28f1b8faba0ddcb50ec7d31fd4bed58247df5803d1bf6d",
"source": "amazon-inspector",
"modified_time": "2026-07-01T21:21:21Z",
"id": "IN-MAL-2026-007953",
"import_time": "2026-07-01T22:03:01.745944098Z"
},
{
"versions": [
"1.0.1"
],
"sha256": "0f9edf3018d73debfdf5bd44b17c05736bfcf41c6c5af81cbd50f505a9844ca6",
"modified_time": "2026-07-01T21:21:14Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-007952",
"import_time": "2026-07-01T22:03:01.706103651Z"
},
{
"versions": [
"1.0.6"
],
"sha256": "2e46efde053535d5d1b8c10671e3ada0985ee5cf1d3774925f4d78f5f955bfbd",
"modified_time": "2026-07-01T21:20:25Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-007946",
"import_time": "2026-07-01T22:03:01.328937289Z"
},
{
"versions": [
"1.0.10"
],
"sha256": "4694a079d83e33dcee7f87140c41737009d9f0b19f351c23f2ae3dbce9a47a51",
"source": "amazon-inspector",
"modified_time": "2026-07-01T21:20:09Z",
"id": "IN-MAL-2026-007944",
"import_time": "2026-07-01T22:03:01.235428566Z"
},
{
"versions": [
"1.0.8"
],
"sha256": "b081b25d3ed80e6fb14012cd428e6b60c1ed7b77ce769f1510f73a2195a1f985",
"source": "amazon-inspector",
"modified_time": "2026-07-01T21:20:16Z",
"id": "IN-MAL-2026-007945",
"import_time": "2026-07-01T22:03:01.297111308Z"
},
{
"versions": [
"1.0.2"
],
"sha256": "ca6dd98e3ea21871ac47c5ff8e0bdacad9543caa8094c1a709666e559dd6cc29",
"modified_time": "2026-07-01T21:21:06Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-007951",
"import_time": "2026-07-01T22:03:01.619286475Z"
},
{
"versions": [
"1.0.7"
],
"sha256": "f3318b0646ee273862994f3f82e9f10f5509bad27643f60d737407751819e3eb",
"modified_time": "2026-07-01T21:20:58Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-007950",
"import_time": "2026-07-01T22:03:01.517320725Z"
},
{
"versions": [
"1.0.3"
],
"sha256": "35d8ec9fe8175187d954aa5990d138efda2b727b12a014cda50cdc094a0241c5",
"modified_time": "2026-07-01T21:20:49Z",
"source": "amazon-inspector",
"import_time": "2026-07-01T22:03:01.469652495Z",
"id": "IN-MAL-2026-007949"
},
{
"versions": [
"1.0.12"
],
"sha256": "8d10a0d7bcaa1ec28f749d4cb493ce930f7c59d2b59a627cf1443ebf6e5ed26e",
"modified_time": "2026-07-01T21:20:00Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-007943",
"import_time": "2026-07-01T22:03:01.199460609Z"
},
{
"versions": [
"1.0.4"
],
"sha256": "980ccf3d2bcf2e7571c3ce0302f1c8a32667e3f57f0b49c2a2dd7b7bfc02fa28",
"modified_time": "2026-07-01T21:20:41Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-007948",
"import_time": "2026-07-01T22:03:01.424377839Z"
}
]
}{
"package_integrity": [
{
"filename": "date-fns-lite-1.0.5.tgz",
"hashes": {
"sha512_sri": "sha512-SjGJX0jgJh+dSAy7IFbltbuap26Qn1Y/Iz/43jG3Zc3+0hILPcp8ut7rdXnl5LQpdIwecWhrOvDsOHHp5ZQy6Q==",
"sha1": "1f6ba05d374fbacf04a92f6fb913fe6231224b39"
}
}
],
"evidence_files": [
{
"sha256": "e3f0715ac3e04524b506c4d4a2c3c876a1337bb0c5e845b0d222712472662abf",
"path": "postinstall.js",
"tlsh": "acf197657afb21245a6ad4eaa28f21123510f50b3e04ce94766c47d0bf8a0b8b6773dd"
},
{
"sha256": "d44e4fd7032afcb424ecab971c0d90eed6229f25996ef9af99955630fcfb74d8",
"path": "package.json",
"tlsh": "1be06830082259232ac587e6ed220e477d200d23025cbc1823e3512883ceb7b98fd22e"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/date-fns-lite/MAL-2026-6722.json"
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]