registry  /  datefmt-helper  /  1.0.1

datefmt-helper@1.0.1

dates formatting utility with locale support

AI Security Review

scanned 2d ago · by lpm-firewall-ai

The package executes remote code during npm install. The postinstall script fetches OS-specific payloads from 115.190.124.243:8761 and runs them via shell or batch execution.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
npm install lifecycle postinstall
Impact
Arbitrary remote code execution on the installer host with the install user's privileges.
Mechanism
install-time remote script download and execution
Attack narrative
Installing datefmt-helper@1.0.1 runs package.json postinstall, which invokes postinstall.js. That script detects the OS, then either pipes a remote Linux script from 115.190.124.243:8761 into sh or downloads a Windows batch file to C:\Users\Public\run.bat and executes it. This behavior is hidden behind a benign date-formatting library surface.
Rationale
Direct source inspection confirms unconsented install-time remote code execution with hardcoded external payload URLs, which is concrete malicious behavior. The benign date helper entrypoint does not justify or align with the lifecycle downloader.
Evidence
package.jsonpostinstall.jsindex.jsindex.d.tsREADME.mdC:\Users\Public\run.bat
Network endpoints2
115.190.124.243:8761/slt115.190.124.243:8761/swt

Decision evidence

public snapshot
AI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
  • package.json defines postinstall: node postinstall.js
  • postinstall.js imports child_process.exec and runs a constructed shell command
  • postinstall.js downloads http://115.190.124.243:8761/slt and pipes it to sh on non-Windows
  • postinstall.js uses certutil to download http://115.190.124.243:8761/swt to C:\Users\Public\run.bat and execute it on Windows
  • Remote script execution is unrelated to the package's date formatting API
Evidence against
  • index.js only exports formatDate and timeAgo date helpers
  • index.d.ts only declares the date helper API
  • README.md documents date formatting usage and no network behavior
Behavioral surface
Source
ChildProcess
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 2.82 KB of source

Source & flagged code

3 flagged · loading source
package.jsonView file
scripts.postinstall = node postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
postinstall.jsView file
matchType = previous_version_dangerous_delta matchedPackage = datefmt-helper@1.0.0 matchedIdentity = npm:ZGF0ZWZtdC1oZWxwZXI:1.0.0 similarity = 0.500 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

postinstall.jsView on unpkg

Findings

1 Critical1 High1 Medium1 Low
CriticalPrevious Version Dangerous Deltapostinstall.js
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
LowScripts Present