OSV Malicious Advisory
scanned 4h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-6566 confirms this npm version as malicious. Package advertised as a UUIDv7 helper, but on require()/import it auto-invokes extractDateISO() in bootstrap.js, which reads README.md from process.cwd(), extracts two specific lines (120 and 123), and base64-decodes them after prepending 'aH' and inserting 'Rz' to reconstruct an 'http...' URL (the prefix 'aHR0c' decodes to 'http'). The reconstructed URL is fetched, written to os.tmpdir() as temp_<timestamp>.vbs...
Advisory
MAL-2026-6566
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in date-uuid (npm)
Details
Package advertised as a UUIDv7 helper, but on require()/import it auto-invokes extractDateISO() in bootstrap.js, which reads README.md from process.cwd(), extracts two specific lines (120 and 123), and base64-decodes them after prepending 'aH' and inserting 'Rz' to reconstruct an 'http...' URL (the prefix 'aHR0c' decodes to 'http'). The reconstructed URL is fetched, written to os.tmpdir() as temp_<timestamp>.vbs (the '.vbs' extension is split as 'v'+'b'+'s' to evade grep), and executed via child_process.exec. The behavior is unrelated to the advertised UUID functionality. Sourcing the payload URL from the caller's README rather than the package source decouples the attacker-controlled destination from the published artifact and enables staged/deniable deployment: a chained attack or a future README edit can change what gets executed without republishing the package. Obfuscation devices (string-splitting the script extension, base64 framing of the URL prefix) co-located with the fetch-and-exec path indicate deliberate evasion intent.
Decision reason
OpenSSF Malicious Packages via OSV confirms date-uuid@1.0.1 as malicious (MAL-2026-6566): Malicious code in date-uuid (npm)
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory