MAL-2026-6788

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/datefmt-helper/MAL-2026-6788.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-6788
Published
2026-07-04T00:00:00Z
Modified
2026-07-09T16:31:57.214382425Z
Summary
Malicious code in datefmt-helper (npm)
Details

The npm package datefmt-helper is a supply-chain dropper disguised as a benign date-formatting utility (its description reads "dates formatting utility with locale support"). The package ships no source repository and places its real behaviour in an install script.

A postinstall lifecycle hook (postinstall: node postinstall.js) executes automatically on npm install, before the package is ever imported. The install script uses HTTP / curl / wget primitives to download a second-stage payload from the hardcoded external IP 115.190.124.243, then executes it via a Node child process — the classic download-and-execute pattern. Any developer workstation or CI runner that installs the package (directly or transitively) hands arbitrary code execution to the operator of that endpoint.

Detected and classified independently by codelake Research from the live npm feed on 2026-07-02; at the time of reporting the package was not present in OSV or GHSA (a first-catch).


-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (d92b853245953aa75db608f0ae2e5de2321301b94ca6b48f55746a1bd60b6ea4)

On npm install, the package's postinstall script fetches an unauthenticated payload over plain HTTP from a hardcoded bare IP (115.190.124.243:8761) and executes it. On Unix, curl/wget output is piped directly to sh. On Windows, certutil.exe -urlcache -split -f downloads a batch file to C:\Users\Public\run.bat and executes it. The fetched content is unpinned, unverified, and mutable — the operator of the endpoint can serve arbitrary code at any time. The package advertises itself as a lightweight date formatter (date-fns-lite branding, impersonating the date-fns ecosystem), but the payload has no relationship to date formatting. The typosquat/impersonation branding combined with an install-time dropper is a supply-chain attack lure.

Database specific
{
    "iocs": {
        "ips": [
            "115.190.124.243"
        ],
        "hashes": [
            "sha256:f2f58e73becce20f28c6f18700731f48c067826defe8279da2e24e4f69c25c72"
        ]
    },
    "malicious-packages-origins": [
        {
            "modified_time": "2026-07-08T20:34:26Z",
            "versions": [
                "1.0.1"
            ],
            "sha256": "3d7f5d0b1ca6df789353a5558b55adc3da08246c73ad0d1aba92f7321b4afec2",
            "import_time": "2026-07-08T21:27:49.478008532Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-008600"
        },
        {
            "modified_time": "2026-07-09T15:55:25Z",
            "versions": [
                "1.0.0"
            ],
            "sha256": "d92b853245953aa75db608f0ae2e5de2321301b94ca6b48f55746a1bd60b6ea4",
            "import_time": "2026-07-09T16:20:57.504713224Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-009286"
        }
    ]
}
References
Credits

Affected packages

npm / datefmt-helper

Package

Affected ranges

Affected versions

1.*
1.0.0
1.0.1

Database specific

indicators
{
    "evidence_files": [
        {
            "tlsh": "6a3144e40cffed734357b0d2ab574113a1636107380aed89b68c42921fd38e89656ee9",
            "sha256": "256e9fe5552c4ae4d127d466e9380b13f8f27e0c1725bde58178c419155d23ac",
            "path": "postinstall.js"
        },
        {
            "tlsh": "c5e020300952592329c497d5ed274d47bd214c17134dbc1523d75168c3debbb94fe52e",
            "sha256": "da2892b80eafe7e61670290e0cd88455cf253c491e1d8592b8647eab6c49af69",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha1": "bdff52fc1c42782e31f8ce8df956ef3406e161f9",
                "sha512_sri": "sha512-RQNH7H30Ng7k11sym5oSVxYfiNwIgcCMp2t1D7LdUnUxFdJYQYkZTGDOglzz7Gn2wTBb5t/1CL+F11tC12pOvA=="
            },
            "filename": "datefmt-helper-1.0.1.tgz"
        }
    ]
}
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/datefmt-helper/MAL-2026-6788.json"