registry  /  dayjscore  /  1.0.0

dayjscore@1.0.0

OSV Malicious Advisory

scanned 2h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10587 confirms this npm version as malicious. The package's package.json declares scripts.postinstall = "node.init.js", causing.init.js to run automatically on npm install. The script harvests a hardcoded list of roughly 60 credential-shaped environment variables (including NPM_TOKEN, GITHUB_TOKEN, AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY, STRIPE_*, DB_PASSWORD, and other cloud/provider tokens), reads files under the installer's home directory (~/.npmrc,...

Advisory
MAL-2026-10587
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in dayjscore (npm)
Details
The package's package.json declares scripts.postinstall = "node.init.js", causing.init.js to run automatically on npm install. The script harvests a hardcoded list of roughly 60 credential-shaped environment variables (including NPM_TOKEN, GITHUB_TOKEN, AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY, STRIPE_*, DB_PASSWORD, and other cloud/provider tokens), reads files under the installer's home directory (~/.npmrc, ~/.env*, ~/config.json, ~/credentials.json), and enumerates ~/.config/* for filenames containing token/cred/secret. It additionally collects host identifiers (os.hostname(), os.platform(), process.cwd(), process.pid, timestamp) and POSTs the resulting JSON via https.request to a hardcoded webhook.cool endpoint (tender-deer-80). The package name mimics the popular dayjs library.
Decision reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
SourceNo risky source behavior triggered.
Supply chain
Trivial
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 18 B of source

Source & flagged code

1 flagged · loading source
package.jsonView file
scripts.postinstall = node .init.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg

Findings

1 High1 Low
HighInstall Time Lifecycle Scriptspackage.json
LowScripts Present