{"id":"MAL-2026-6788","summary":"Malicious code in datefmt-helper (npm)","details":"The npm package `datefmt-helper` is a supply-chain dropper disguised as a benign date-formatting utility (its `description` reads \"dates formatting utility with locale support\"). The package ships no source repository and places its real behaviour in an install script.\n\nA `postinstall` lifecycle hook (`postinstall: node postinstall.js`) executes automatically on `npm install`, before the package is ever imported. The install script uses HTTP / `curl` / `wget` primitives to download a second-stage payload from the hardcoded external IP `115.190.124.243`, then executes it via a Node child process — the classic download-and-execute pattern. Any developer workstation or CI runner that installs the package (directly or transitively) hands arbitrary code execution to the operator of that endpoint.\n\nDetected and classified independently by codelake Research from the live npm feed on 2026-07-02; at the time of reporting the package was not present in OSV or GHSA (a first-catch).\n\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (d92b853245953aa75db608f0ae2e5de2321301b94ca6b48f55746a1bd60b6ea4)\nOn `npm install`, the package's postinstall script fetches an unauthenticated payload over plain HTTP from a hardcoded bare IP (115.190.124.243:8761) and executes it. On Unix, `curl`/`wget` output is piped directly to `sh`. On Windows, `certutil.exe -urlcache -split -f` downloads a batch file to C:\\Users\\Public\\run.bat and executes it. The fetched content is unpinned, unverified, and mutable — the operator of the endpoint can serve arbitrary code at any time. The package advertises itself as a lightweight date formatter (`date-fns-lite` branding, impersonating the date-fns ecosystem), but the payload has no relationship to date formatting. The typosquat/impersonation branding combined with an install-time dropper is a supply-chain attack lure.\n","modified":"2026-07-09T16:31:57.214382425Z","published":"2026-07-04T00:00:00Z","database_specific":{"iocs":{"ips":["115.190.124.243"],"hashes":["sha256:f2f58e73becce20f28c6f18700731f48c067826defe8279da2e24e4f69c25c72"]},"malicious-packages-origins":[{"import_time":"2026-07-08T21:27:49.478008532Z","id":"IN-MAL-2026-008600","modified_time":"2026-07-08T20:34:26Z","versions":["1.0.1"],"source":"amazon-inspector","sha256":"3d7f5d0b1ca6df789353a5558b55adc3da08246c73ad0d1aba92f7321b4afec2"},{"source":"amazon-inspector","sha256":"d92b853245953aa75db608f0ae2e5de2321301b94ca6b48f55746a1bd60b6ea4","import_time":"2026-07-09T16:20:57.504713224Z","id":"IN-MAL-2026-009286","modified_time":"2026-07-09T15:55:25Z","versions":["1.0.0"]}]},"references":[{"type":"ADVISORY","url":"https://research.codelake.dev/advisories/clr-2026-2990-datefmt-helper"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/datefmt-helper/v/1.0.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/datefmt-helper/v/1.0.0"}],"affected":[{"package":{"name":"datefmt-helper","ecosystem":"npm","purl":"pkg:npm/datefmt-helper"},"versions":["1.0.0","1.0.1"],"database_specific":{"cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}],"indicators":{"evidence_files":[{"path":"postinstall.js","sha256":"256e9fe5552c4ae4d127d466e9380b13f8f27e0c1725bde58178c419155d23ac","tlsh":"6a3144e40cffed734357b0d2ab574113a1636107380aed89b68c42921fd38e89656ee9"},{"path":"package.json","sha256":"da2892b80eafe7e61670290e0cd88455cf253c491e1d8592b8647eab6c49af69","tlsh":"c5e020300952592329c497d5ed274d47bd214c17134dbc1523d75168c3debbb94fe52e"}],"package_integrity":[{"filename":"datefmt-helper-1.0.1.tgz","hashes":{"sha1":"bdff52fc1c42782e31f8ce8df956ef3406e161f9","sha512_sri":"sha512-RQNH7H30Ng7k11sym5oSVxYfiNwIgcCMp2t1D7LdUnUxFdJYQYkZTGDOglzz7Gn2wTBb5t/1CL+F11tC12pOvA=="}}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/datefmt-helper/MAL-2026-6788.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"},{"name":"codelake Research","contact":["https://research.codelake.dev/advisories/clr-2026-2990-datefmt-helper"],"type":"FINDER"}]}