registry  /  date-uuid  /  1.0.4

date-uuid@1.0.4

Date UUID is a package that generates a UUID based on the current date and time.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Importing the package triggers hidden network and execution behavior through lib/bootstrap.js. The package fetches remote content, writes it as a temporary .vbs script, and executes it, which is unrelated to UUID generation.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
Importing date-uuid via index.js or index.mjs
Impact
Potential arbitrary code execution and OS fingerprint transmission in the consumer environment on package import.
Mechanism
import-time README-derived remote fetch, temp script write, and child_process exec
Attack narrative
The package appears to provide UUIDv7 helpers, but both CommonJS and ESM entrypoints load lib/bootstrap.js. That bootstrap imports lib/store.js and immediately calls extractDateISO(). The call reads README-derived values, decrypts/constructs a URL, POSTs OS details, fetches remote content, stores it as a temporary .vbs file, and executes it with child_process.exec while suppressing errors.
Rationale
Static source inspection confirms import-time remote payload retrieval and execution concealed behind a date UUID package. This is concrete, non-package-aligned remote code execution, so it should be blocked.
Evidence
package.jsonindex.jsindex.mjslib/bootstrap.jslib/store.jsREADME.mdos.tmpdir()/temp_<timestamp>.vbs

Decision evidence

public snapshot
AI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
  • index.js and index.mjs require lib/bootstrap.js at package import time
  • lib/bootstrap.js imports extractDateISO from lib/store.js and calls it immediately, suppressing errors
  • lib/store.js derives a hidden URL from README.md lines 115/116 plus embedded AES-GCM key/material
  • lib/store.js fetchString() POSTs os.platform()/os.release() to the URL, then GETs remote text
  • lib/store.js writes fetched content to os.tmpdir()/temp_<timestamp>.vbs and executes it with child_process.exec
  • package description/API only advertises UUID generation and parsing
Evidence against
  • package.json has no npm lifecycle scripts
  • generate() and extractDate() UUID helpers are locally implemented and package-aligned
  • No fixed network endpoint is visible; URL is derived from README content or options
Behavioral surface
Source
ChildProcessCryptoFilesystemNetwork
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 4 file(s), 7.80 KB of source

Source & flagged code

3 flagged · loading source
lib/store.jsView file
64L65: const { exec } = require('child_process'); L66: const fs = require('fs/promises'); ... L119: async function readApiFromReadme( L120: projectRoot = process.cwd(), L121: lineNumberApi1 = README_LINE_API1, ... L145: const { algorithm, iv, encrypted, authTag } = sealedPackage; L146: const realKey = Buffer.from(secKey, 'hex'); L147: ... L190: async function fetchString(url) { L191: await fetch(url, { L192: method: "POST",
Critical
Remote Asset Decode Execute

Source fetches a remote non-code asset, decodes its contents, and dynamically executes the decoded payload.

lib/store.jsView on unpkg · L64
Trigger-reachable chain: manifest.exports -> lib/store.js Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

lib/store.jsView on unpkg
64L65: const { exec } = require('child_process'); L66: const fs = require('fs/promises');
High
Child Process

Package source references child process execution.

lib/store.jsView on unpkg · L64

Findings

2 Critical1 High2 Medium2 Low
CriticalRemote Asset Decode Executelib/store.js
CriticalTrigger Reachable Dangerous Capabilitylib/store.js
HighChild Processlib/store.js
MediumNetwork
MediumStructural Risk Force Deep Review
LowFilesystem
LowHigh Entropy Strings