{"id":"MAL-2026-6308","summary":"Malicious code in @lazyutil/dater (npm)","details":"@lazyutil/dater (malicious versions 0.8.1, 0.9.2, 0.9.3, and 0.9.4, published by lazyutil-78muyg@wshu.net) is a trojanized npm package belonging to the wshu.net credential-stealer campaign. The campaign published trojanized look-alike utility packages across 12+ scopes whose publisher accounts all follow the pattern \u003cscope\u003e-\u003c6 random chars\u003e@wshu.net, with every scope created on June 4, 2026 in a ~40-minute burst. This package masquerades as a date library and ships real, working utility code so it passes a glance, while bundling a much larger malicious payload (lib/tzinit.js in the earliest variant, dist/lib/tzinit.cjs thereafter). package.json declares a postinstall hook (e.g. \"node ./dist/lib/tzinit.cjs\") that runs the payload automatically on npm install. The payload is heavily obfuscated with javascript-obfuscator (hex-named identifiers, a while (!![]) array-rotation IIFE, base64+RC4 string decoding, control-flow flattening, and runtime-decrypted module resolution to stay out of the static module graph). At runtime it is a Chromium browser credential stealer: it reads Chromium Cookies and Login Data and decrypts saved passwords protected by AES-256-GCM (the v10/v11 app-bound key schemes), then exfiltrates them over HTTPS using a spoofed Mozilla/5.0 user agent. Consistent with the campaign, the dangerous versions sit in mid-ranges while the latest tag (0.9.5) points to a scrubbed release with an empty scripts block. The 0.9.4 payload blob is byte-identical to @glitchpad/throttler@2.2.3 from the same campaign. Malicious payload dist/lib/tzinit.cjs (0.9.4) SHA-256: 68b4fe54a4c05cd0115535ebd4aa8d3cccb03ea5a685f440314814ba1b89e875.\n\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (362ed214c96b3a091355472cb7d03ca7dcb1c3b1c36daede92d4e7a04027cb8a)\n@lazyutil/dater is a trojanized repackage of the legitimate `timezonecomplete` library. Its package.json declares `postinstall: node./dist/lib/tzinit.cjs`, which runs automatically on `npm install`. tzinit.cjs is a 263 KB obfuscator.io-protected file (string-array RC4/XOR + control-flow flattening) that uses AES-256-GCM with a hardcoded key/IV/AAD to decrypt an embedded URL and host, then performs an HTTP GET to fetch a binary, writes it to disk, chmods it executable, and spawns it via `process.execPath` or `sh -c`. The dropper is platform-gated for win32/darwin/linux, retries with backoff, and re-execs the package's process. None of this is required for a date/timezone library and the legitimate upstream has neither a postinstall nor a tzinit.cjs. Trojanization signals: package description is copied verbatim from `timezonecomplete`, the `repository` field still points at the upstream author's git URL (`github.com/rogierschouten/timezonecomplete`), `homepage` points at a placeholder `github.com/lazyutil`, and `author` is a fresh ProtonMail identity unrelated to the original maintainer. Installing this package gives an attacker arbitrary code execution on the installer's machine.\n","modified":"2026-06-23T19:46:25.344529318Z","published":"2026-06-22T12:00:00Z","database_specific":{"malicious-packages-origins":[{"sha256":"1e60ea16a2304b00c24feeb56b14387e7b137e4e832eebeef61536bbdc30ee64","versions":["0.9.2"],"modified_time":"2026-06-23T16:22:40Z","id":"IN-MAL-2026-007295","import_time":"2026-06-23T16:54:15.639200311Z","source":"amazon-inspector"},{"sha256":"3085d5883cb7184bb57024ffe4bb1c5760ea3b120ce4b4dee03c874b3cbc62d4","versions":["0.8.1"],"modified_time":"2026-06-23T16:22:43Z","id":"IN-MAL-2026-007298","import_time":"2026-06-23T16:54:15.940425918Z","source":"amazon-inspector"},{"modified_time":"2026-06-23T16:22:37Z","sha256":"362ed214c96b3a091355472cb7d03ca7dcb1c3b1c36daede92d4e7a04027cb8a","import_time":"2026-06-23T16:54:15.517199005Z","id":"IN-MAL-2026-007293","versions":["0.9.4"],"source":"amazon-inspector"},{"sha256":"af4babebb1ad40ecc1260f2036da3052003e645d7edfdcc5d03bd6105748659d","versions":["0.9.5"],"import_time":"2026-06-23T16:54:15.586697918Z","id":"IN-MAL-2026-007294","modified_time":"2026-06-23T16:22:38Z","source":"amazon-inspector"},{"sha256":"c55953491fa63e65d06f8db1855ea4ae815244b2c0b7590f609ca0b460928181","versions":["0.9.3"],"modified_time":"2026-06-23T16:22:43Z","id":"IN-MAL-2026-007297","import_time":"2026-06-23T16:54:15.828809301Z","source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@lazyutil/dater/v/0.9.2"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@lazyutil/dater/v/0.8.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@lazyutil/dater/v/0.9.4"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@lazyutil/dater/v/0.9.5"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@lazyutil/dater/v/0.9.3"},{"type":"REPORT","url":"https://safedep.io/wshu-net-npm-credential-stealer-campaign/"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@lazyutil/dater"}],"affected":[{"package":{"name":"@lazyutil/dater","ecosystem":"npm","purl":"pkg:npm/%40lazyutil%2Fdater"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}],"versions":["0.9.2","0.8.1","0.9.4","0.9.5","0.9.3"],"database_specific":{"cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}],"indicators":{"evidence_files":[{"sha256":"68b4fe54a4c05cd0115535ebd4aa8d3cccb03ea5a685f440314814ba1b89e875","tlsh":"6e445151a3c9bc8012479f767b5ef2e9fa290aac745408afd404bd54bbfa507dbe0630","path":"dist/lib/tzinit.cjs"},{"tlsh":"67218c3cc4354d633ee87ad4ac6a7845677148074e547d1432cb04ac8b8e2eb52bf2ee","sha256":"8b768658e4e12b0dd77170bd4d14e7ebc16927db68bdddcc954d8544f889bb31","path":"package.json"}],"package_integrity":[{"hashes":{"sha1":"2f7e922ccb07ac36f1c7205d7a7cee133a1fb98f","sha512_sri":"sha512-WW55u7N8p6FY4r0DWyRcGWebN3XxsjdHOOLfiO4FTNrdyv99yxMoPtJ8LaXsAxobWsBSzMQOufEvSmENqo4KwA=="},"filename":"dater-0.9.2.tgz"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@lazyutil/dater/MAL-2026-6308.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"},{"name":"SafeDep","contact":["https://safedep.io"],"type":"FINDER"}]}