{"id":"MAL-2026-10700","summary":"Malicious code in time-format-kit (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (168d334d742003cf94d8b87ba56cd72694081ade01f6814062e58ebdc47d8594)\nOn npm install, the package's postinstall script decodes base64-encoded shell payloads and executes them via an obfuscated child_process.exec lookup (require('ch'+'il'+'d_p'+'rocess')['e'+'xec']). The shell payload reads ~/.aws/credentials, ~/.ssh/id_rsa, ~/.ssh/authorized_keys, ~/.ssh/known_hosts, ~/.bash_history, the full process environment, and host identifiers (hostname, whoami, id, sudo -l), then POSTs the base64-encoded contents over plain HTTP to a hardcoded Burp Collaborator subdomain at pwpzhsrbtvmfqrqr7onqcwnrcii960up.oastify.com. Additional payloads issue curl requests through the installer host to http://tst.woa.com/flag.html and http://tst.woa.com/ssrf_forward.php with an oastify-subdomain host parameter, and POST the response bodies back to the same collaborator endpoint, using the installer as an SSRF relay. The package name ('time-format-kit') has no functional relationship to the observed behavior.\n\n## Source: ossf-package-analysis (013929714a8a46ad664ac923c9ce315df1b9351993cc7d2d06a325d8f0c49009)\nThe OpenSSF Package Analysis project identified 'time-format-kit' @ 1.0.2 (npm) as malicious.\n\nIt is considered malicious because:\n\n- The package communicates with a domain associated with malicious activity.\n\n- The package executes one or more commands associated with malicious behavior.\n","modified":"2026-07-16T19:20:01.084577502Z","published":"2026-07-16T14:26:20Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-07-16T14:43:39.526044543Z","modified_time":"2026-07-16T14:26:20Z","versions":["1.0.2"],"source":"ossf-package-analysis","sha256":"013929714a8a46ad664ac923c9ce315df1b9351993cc7d2d06a325d8f0c49009"},{"source":"amazon-inspector","sha256":"720cc381014fc2e82f745dc2709b894652cd25e1ee4889e6798d05a598b19623","import_time":"2026-07-16T18:53:59.336248897Z","id":"IN-MAL-2026-010690","modified_time":"2026-07-16T18:29:39Z","versions":["1.0.0"]},{"source":"amazon-inspector","sha256":"d50a73d9427a1765efc9ef52755ba856343a936a0fd349c83030bebb76870041","import_time":"2026-07-16T18:53:59.552273227Z","id":"IN-MAL-2026-010694","modified_time":"2026-07-16T18:33:24Z","versions":["1.0.2"]},{"import_time":"2026-07-16T18:53:59.679462897Z","id":"IN-MAL-2026-010696","modified_time":"2026-07-16T18:33:43Z","versions":["1.0.1"],"source":"amazon-inspector","sha256":"168d334d742003cf94d8b87ba56cd72694081ade01f6814062e58ebdc47d8594"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/time-format-kit/v/1.0.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/time-format-kit/v/1.0.2"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/time-format-kit/v/1.0.1"}],"affected":[{"package":{"name":"time-format-kit","ecosystem":"npm","purl":"pkg:npm/time-format-kit"},"versions":["1.0.2","1.0.0","1.0.1"],"database_specific":{"cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"},{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"},{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}],"indicators":{"evidence_files":[{"path":"postinstall.js","sha256":"c97edb081f43d718921d1036194d8a6f6d0fe947f3a0d6335fab9634f2793a29","tlsh":"647123bebd52b20c9b92350db34e1c8d0ae0501b746159b91d866e6093af07a9ccc23b"}],"package_integrity":[{"filename":"time-format-kit-1.0.0.tgz","hashes":{"sha512_sri":"sha512-s1h8hAvriCVPjO57ENXZ794AtMSVbTW2x3CwZ0Z20YEQ9cNRTWYwsFpA+OGGrBhF7wer5dtBJo3FTc/ObjAUUQ==","sha1":"53b7f8d01a1ade3045d76a7daab84e03a04e8717"}}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/time-format-kit/MAL-2026-10700.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"},{"name":"OpenSSF: Package Analysis","contact":["https://github.com/ossf/package-analysis","https://openssf.slack.com/channels/package_analysis"],"type":"FINDER"}]}