{"id":"MAL-2026-6722","summary":"Malicious code in date-fns-lite (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (4694a079d83e33dcee7f87140c41737009d9f0b19f351c23f2ae3dbce9a47a51)\ndate-fns-lite@1.0.10 presents as a lightweight date-formatting utility but ships a malicious postinstall.js that runs automatically on `npm install`. The script harvests installer-side secrets — AWS credentials (~/.aws), GCP application-default credentials, Azure tokens, kubeconfig, SSH private keys and authorized_keys, /etc/shadow, and shell history — using /proc/1/root traversal to reach the host filesystem from inside a container. It also queries the AWS IMDS endpoint (http://169.254.169.254/latest/meta-data/iam/security-credentials/) and GCP metadata service for instance IAM credentials, probes the Docker socket via /proc/1/root/var/run/docker.sock to enumerate containers, and performs internal-network reconnaissance (default-gateway detection, /24 ping sweep, port probes on 22/80/443/3306/6379/9200/27017). The aggregated report is POSTed to a hardcoded bare-IP endpoint at http://115.190.124.243:9082/callback over plain HTTP. The package name mimics the widely-used `date-fns` library, and index.js contains a small plausible-looking date formatter as cover for the postinstall payload. Installing this package on any host — especially in CI or a container with host mounts — will disclose cloud credentials, SSH keys, and an internal-network map to the attacker.\n","modified":"2026-07-01T22:16:51.380487164Z","published":"2026-07-01T21:19:37Z","database_specific":{"malicious-packages-origins":[{"sha256":"0eea3459d7924894dd7a609efe669b9e762bb88e4f939414d6f53fe16788e29f","import_time":"2026-07-01T22:03:01.364950268Z","versions":["1.0.5"],"modified_time":"2026-07-01T21:20:34Z","source":"amazon-inspector","id":"IN-MAL-2026-007947"},{"sha256":"9853105f0307399f6f3f5e7eb836394fd4e73d319237033ab69966466a27342f","import_time":"2026-07-01T22:03:01.123641375Z","versions":["1.0.9"],"modified_time":"2026-07-01T21:19:53Z","source":"amazon-inspector","id":"IN-MAL-2026-007942"},{"sha256":"9af195b8341421ebe7b8f512aad362785fac8589348e8bdd8f88f7722abb40c5","import_time":"2026-07-01T22:03:01.017391333Z","versions":["1.0.11"],"modified_time":"2026-07-01T21:19:37Z","source":"amazon-inspector","id":"IN-MAL-2026-007940"},{"sha256":"ce45aef4b931fbf32e28f1b8faba0ddcb50ec7d31fd4bed58247df5803d1bf6d","import_time":"2026-07-01T22:03:01.745944098Z","versions":["1.0.0"],"modified_time":"2026-07-01T21:21:21Z","source":"amazon-inspector","id":"IN-MAL-2026-007953"},{"sha256":"0f9edf3018d73debfdf5bd44b17c05736bfcf41c6c5af81cbd50f505a9844ca6","versions":["1.0.1"],"import_time":"2026-07-01T22:03:01.706103651Z","modified_time":"2026-07-01T21:21:14Z","source":"amazon-inspector","id":"IN-MAL-2026-007952"},{"sha256":"2e46efde053535d5d1b8c10671e3ada0985ee5cf1d3774925f4d78f5f955bfbd","versions":["1.0.6"],"import_time":"2026-07-01T22:03:01.328937289Z","modified_time":"2026-07-01T21:20:25Z","source":"amazon-inspector","id":"IN-MAL-2026-007946"},{"sha256":"4694a079d83e33dcee7f87140c41737009d9f0b19f351c23f2ae3dbce9a47a51","import_time":"2026-07-01T22:03:01.235428566Z","versions":["1.0.10"],"modified_time":"2026-07-01T21:20:09Z","source":"amazon-inspector","id":"IN-MAL-2026-007944"},{"sha256":"b081b25d3ed80e6fb14012cd428e6b60c1ed7b77ce769f1510f73a2195a1f985","import_time":"2026-07-01T22:03:01.297111308Z","versions":["1.0.8"],"modified_time":"2026-07-01T21:20:16Z","source":"amazon-inspector","id":"IN-MAL-2026-007945"},{"sha256":"ca6dd98e3ea21871ac47c5ff8e0bdacad9543caa8094c1a709666e559dd6cc29","import_time":"2026-07-01T22:03:01.619286475Z","versions":["1.0.2"],"modified_time":"2026-07-01T21:21:06Z","source":"amazon-inspector","id":"IN-MAL-2026-007951"},{"sha256":"f3318b0646ee273862994f3f82e9f10f5509bad27643f60d737407751819e3eb","versions":["1.0.7"],"import_time":"2026-07-01T22:03:01.517320725Z","modified_time":"2026-07-01T21:20:58Z","source":"amazon-inspector","id":"IN-MAL-2026-007950"},{"sha256":"35d8ec9fe8175187d954aa5990d138efda2b727b12a014cda50cdc094a0241c5","versions":["1.0.3"],"import_time":"2026-07-01T22:03:01.469652495Z","modified_time":"2026-07-01T21:20:49Z","source":"amazon-inspector","id":"IN-MAL-2026-007949"},{"sha256":"8d10a0d7bcaa1ec28f749d4cb493ce930f7c59d2b59a627cf1443ebf6e5ed26e","import_time":"2026-07-01T22:03:01.199460609Z","versions":["1.0.12"],"modified_time":"2026-07-01T21:20:00Z","source":"amazon-inspector","id":"IN-MAL-2026-007943"},{"sha256":"980ccf3d2bcf2e7571c3ce0302f1c8a32667e3f57f0b49c2a2dd7b7bfc02fa28","versions":["1.0.4"],"import_time":"2026-07-01T22:03:01.424377839Z","modified_time":"2026-07-01T21:20:41Z","source":"amazon-inspector","id":"IN-MAL-2026-007948"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/date-fns-lite/v/1.0.5"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/date-fns-lite/v/1.0.9"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/date-fns-lite/v/1.0.11"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/date-fns-lite/v/1.0.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/date-fns-lite/v/1.0.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/date-fns-lite/v/1.0.6"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/date-fns-lite/v/1.0.10"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/date-fns-lite/v/1.0.8"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/date-fns-lite/v/1.0.2"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/date-fns-lite/v/1.0.7"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/date-fns-lite/v/1.0.3"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/date-fns-lite/v/1.0.12"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/date-fns-lite/v/1.0.4"}],"affected":[{"package":{"name":"date-fns-lite","ecosystem":"npm","purl":"pkg:npm/date-fns-lite"},"versions":["1.0.5","1.0.9","1.0.11","1.0.0","1.0.1","1.0.6","1.0.10","1.0.8","1.0.2","1.0.7","1.0.3","1.0.12","1.0.4"],"database_specific":{"indicators":{"evidence_files":[{"sha256":"e3f0715ac3e04524b506c4d4a2c3c876a1337bb0c5e845b0d222712472662abf","path":"postinstall.js","tlsh":"acf197657afb21245a6ad4eaa28f21123510f50b3e04ce94766c47d0bf8a0b8b6773dd"},{"sha256":"d44e4fd7032afcb424ecab971c0d90eed6229f25996ef9af99955630fcfb74d8","path":"package.json","tlsh":"1be06830082259232ac587e6ed220e477d200d23025cbc1823e3512883ceb7b98fd22e"}],"package_integrity":[{"filename":"date-fns-lite-1.0.5.tgz","hashes":{"sha512_sri":"sha512-SjGJX0jgJh+dSAy7IFbltbuap26Qn1Y/Iz/43jG3Zc3+0hILPcp8ut7rdXnl5LQpdIwecWhrOvDsOHHp5ZQy6Q==","sha1":"1f6ba05d374fbacf04a92f6fb913fe6231224b39"}}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/date-fns-lite/MAL-2026-6722.json","cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}