OSV Malicious Advisory
scanned 3h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10101 confirms this npm version as malicious. The package advertises itself as a lightweight date-formatting utility but its postinstall lifecycle script executes the `id` command and transmits the output (installer uid/gid/groups) to a hardcoded bare-IP endpoint at http://155.190.124.243:6788/?cmd_output=<encoded>. Delivery is attempted through three redundant transports (node http.get, curl, wget) with swallowed errors to maximize successful exfiltration...
Advisory
MAL-2026-10101
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in date-kit-lite (npm)
Details
The package advertises itself as a lightweight date-formatting utility but its postinstall lifecycle script executes the `id` command and transmits the output (installer uid/gid/groups) to a hardcoded bare-IP endpoint at http://155.190.124.243:6788/?cmd_output=<encoded>. Delivery is attempted through three redundant transports (node http.get, curl, wget) with swallowed errors to maximize successful exfiltration. The beacon also gives the operator installer IP, User-Agent, and host identity for follow-on targeting. This behavior fires automatically on `npm install`, is entirely unrelated to the declared date-utility purpose, and uses plain HTTP to a bare IP with no legitimate justification. The package name and generic description mimic well-known date helpers (date-fns, dayjs) while the author field is a self-referential placeholder, consistent with a disguised dropper targeting incidental installers.
Decision reason
OpenSSF Malicious Packages via OSV confirms date-kit-lite@1.0.0 as malicious (MAL-2026-10101): Malicious code in date-kit-lite (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory