{"id":"MAL-2026-10101","summary":"Malicious code in date-kit-lite (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (ce3951661e57807f08fd4dcbf281c14dd1e596907e1a356a3ec503e45fe3b8af)\nThe package advertises itself as a lightweight date-formatting utility but its postinstall lifecycle script executes the `id` command and transmits the output (installer uid/gid/groups) to a hardcoded bare-IP endpoint at http://155.190.124.243:6788/?cmd_output=\u003cencoded\u003e. Delivery is attempted through three redundant transports (node http.get, curl, wget) with swallowed errors to maximize successful exfiltration. The beacon also gives the operator installer IP, User-Agent, and host identity for follow-on targeting. This behavior fires automatically on `npm install`, is entirely unrelated to the declared date-utility purpose, and uses plain HTTP to a bare IP with no legitimate justification. The package name and generic description mimic well-known date helpers (date-fns, dayjs) while the author field is a self-referential placeholder, consistent with a disguised dropper targeting incidental installers.\n","modified":"2026-07-09T23:47:01.172310606Z","published":"2026-07-09T23:10:21Z","database_specific":{"malicious-packages-origins":[{"versions":["1.0.0"],"sha256":"ce3951661e57807f08fd4dcbf281c14dd1e596907e1a356a3ec503e45fe3b8af","source":"amazon-inspector","import_time":"2026-07-09T23:30:56.403044571Z","id":"IN-MAL-2026-009602","modified_time":"2026-07-09T23:10:21Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/date-kit-lite/v/1.0.0"}],"affected":[{"package":{"name":"date-kit-lite","ecosystem":"npm","purl":"pkg:npm/date-kit-lite"},"versions":["1.0.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/date-kit-lite/MAL-2026-10101.json","indicators":{"evidence_files":[{"sha256":"3268a973540ef67255c402867f3b189b6a5ac912952d49cd408a09fe622f518d","path":"postinstall.js","tlsh":"7a01cbee21e163b0a8a358c6db2b2429654be0073a5dafd8bedc47160f5a11843326e4"},{"sha256":"2692ade90fd34d4a587e4b2660a1daa07915a765c5b0536be3208a8de6f789cb","path":"package.json","tlsh":"95e022300922562326c586e6ed124946ad210e23129cbc1823e3512883ceb7a94fd22a"}],"package_integrity":[{"hashes":{"sha512_sri":"sha512-aSjayzJemoS8Wdoh3okmQSf3DZdxj/I5KjWX9r1BRf8yAhp9Nw7gj7zzg1i+P6rq+9eonhrO1hSsN+MAGbKYfw==","sha1":"7506b3a805f38f813fd521212472b03b8ca824da"},"filename":"date-kit-lite-1.0.0.tgz"}]},"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}