registry  /  npm-show-date-proof-strings  /  1.0.4

npm-show-date-proof-strings@1.0.4

npm script for showing date strings

AI Security Review

scanned 4d ago · by lpm-firewall-ai

The package exfiltrates host/user install telemetry during npm postinstall. This behavior is unrelated to the advertised date-string helper functionality.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
npm install lifecycle postinstall
Impact
Leaks username, hostname, platform, and Node version to an external endpoint without user consent.
Mechanism
install-time host fingerprinting and HTTP callback
Attack narrative
On installation, npm runs package.json postinstall, which executes postinstall.js. The script gathers a nonce, event name, username via whoami/id/os.userInfo, hostname, platform, and Node version, logs the data, then sends it as query parameters to http://testnpm.byte.eyes.sh/npm-date-proof. This unconsented install-time callback is not needed for a date formatting package.
Rationale
Direct source inspection confirms an install-time network callback that fingerprints and exfiltrates local user and host details. The behavior is unrelated to package functionality and is activated automatically during installation.
Evidence
package.jsonindex.jspostinstall.jsos.tmpdir()/npm-safe-proof-debug.log
Network endpoints1
testnpm.byte.eyes.sh/npm-date-proof

Decision evidence

public snapshot
AI called this Malicious at 98.0% confidence as Malware with low false-positive risk.
Evidence for block
  • package.json defines postinstall: node postinstall.js
  • postinstall.js runs automatically on install and sends HTTP callback
  • postinstall.js collects whoami, hostname, platform, and node version
  • postinstall.js executes whoami/id via child_process.execFile
  • postinstall.js writes debug log to os.tmpdir()
Evidence against
  • index.js only exports simple formatDate and hello helpers
  • No package files beyond package.json, index.js, and postinstall.js were present
  • No evidence of remote payload download or eval/vm/native loading
Behavioral surface
Source
ChildProcessFilesystemNetwork
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 2 file(s), 3.04 KB of source, external domains: testnpm.byte.eyes.sh

Source & flagged code

5 flagged · loading source
package.jsonView file
scripts.postinstall = node postinstall.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node postinstall.js
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
postinstall.jsView file
matchType = previous_version_dangerous_delta matchedPackage = npm[redacted]@1.0.3 matchedIdentity = npm:[redacted]:1.0.3 similarity = 0.500 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

postinstall.jsView on unpkg
1const http = require("http"); L2: const https = require("https"); ... L5: const path = require("path"); L6: const { execFile } = require("child_process"); L7: ... L32: }, L33: (err, stdout) => { L34: if (!err && stdout && stdout.trim()) { ... L43: async function getWhoami() { L44: if (process.platform === "win32") { L45: const result = await runCommand("whoami.exe"); ... L55: try {
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

postinstall.jsView on unpkg · L1
1const http = require("http"); L2: const https = require("https"); ... L5: const path = require("path"); L6: const { execFile } = require("child_process"); L7: ... L32: }, L33: (err, stdout) => { L34: if (!err && stdout && stdout.trim()) { ... L43: async function getWhoami() { L44: if (process.platform === "win32") { L45: const result = await runCommand("whoami.exe"); ... L55: try {
High
Install Named Payload File

Install-named source file stages remote content through filesystem writes and execution.

postinstall.jsView on unpkg · L1

Findings

1 Critical3 High3 Medium3 Low
CriticalPrevious Version Dangerous Deltapostinstall.js
HighInstall Time Lifecycle Scriptspackage.json
HighSandbox Evasion Gated Capabilitypostinstall.js
HighInstall Named Payload Filepostinstall.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowUrl Strings