{"id":"MAL-2026-5979","summary":"Malicious code in easy-day-js (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (8602a5a154b50bb6351900a08fa45d7814c0f152e4379dcae53ccfa0b83db891)\nPackage name 'easy-day-js' impersonates the popular 'dayjs' library, copying dayjs's author ('iamkun'), homepage (https://day.js.org), repository URL, description, and version number (1.11.22 is a real dayjs release), and bundles dayjs.min.js as main to look legitimate. package.json adds a postinstall hook 'node setup.cjs --no-warnings' that does not exist in real dayjs. setup.cjs is heavily obfuscated with an obfuscator.io-style rotated base64 string array (a0_0x23bf) and decoder (a0_0x1a24) hiding API names ('node:child_process', 'node:fs', 'node:crypto', 'spawn', 'writeFileSync'). At install time it sets NODE_TLS_REJECT_UNAUTHORIZED='0' to disable TLS verification, writes the install directory path to os.tmpdir()/.pkg_history and an encoded buffer to os.tmpdir()/.pkg_logs (staging metadata for the second stage), fetches a JavaScript payload from https://23.254.164.92:8000/update/49890878, writes it to a random hex-named file in os.tmpdir(), spawns it detached with the installer's node interpreter (process.execPath, stdio:'ignore', unref()), and then unlinks setup.cjs to cover its tracks. Classic install-time remote-code-execution dropper combined with brand impersonation of dayjs.\n","modified":"2026-06-17T06:02:03.216081543Z","published":"2026-06-17T04:15:30Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-06-17T05:45:41.475148853Z","source":"amazon-inspector","modified_time":"2026-06-17T04:15:30Z","versions":["1.11.22"],"id":"IN-MAL-2026-006871","sha256":"8602a5a154b50bb6351900a08fa45d7814c0f152e4379dcae53ccfa0b83db891"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/easy-day-js/v/1.11.22"}],"affected":[{"package":{"name":"easy-day-js","ecosystem":"npm","purl":"pkg:npm/easy-day-js"},"versions":["1.11.22"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/easy-day-js/MAL-2026-5979.json","cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"indicators":{"package_integrity":[{"filename":"easy-day-js-1.11.22.tgz","hashes":{"sha1":"4727365754cc41e4ba5a483f328289fd09a54651","sha512_sri":"sha512-JkJVZNSsFBmlAXKECNErDjK+swkGYMuEnCW1wLYlHMl3Mfx16725kJ99f3261B0Bk7gJIGEZZZ+4TPAXUkTmcw=="}}],"evidence_files":[{"sha256":"b122a9873bedf145ae2a7fd024b5f309007dbb025149f4dc4ac3f7e4f32a36a4","tlsh":"ec9167adaf54529173993377bb3a34c2f007c83535d10497d25de7b1acc96a0daa0971","path":"setup.cjs"},{"sha256":"c38954e85bf5433e61e7c8f4230336695624ae88b6953afabf7bf817aa91b638","tlsh":"6451d035cd298d672ac441bd74acc28255b1c9a38c56f81c73aa535c8f6d62f20bef2d","path":"package.json"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}