registry  /  time-format-kit  /  1.0.1

time-format-kit@1.0.1

OSV Malicious Advisory

scanned 14h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10700 confirms this npm version as malicious. On npm install, the package's postinstall script decodes base64-encoded shell payloads and executes them via an obfuscated child_process.exec lookup (require('ch'+'il'+'d_p'+'rocess')['e'+'xec']). The shell payload reads ~/.aws/credentials, ~/.ssh/id_rsa, ~/.ssh/authorized_keys, ~/.ssh/known_hosts, ~/.bash_history, the full process environment, and host identifiers (hostname, whoami, id, sudo -l), then POSTs the...

Advisory
MAL-2026-10700
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in time-format-kit (npm)
Details
On npm install, the package's postinstall script decodes base64-encoded shell payloads and executes them via an obfuscated child_process.exec lookup (require('ch'+'il'+'d_p'+'rocess')['e'+'xec']). The shell payload reads ~/.aws/credentials, ~/.ssh/id_rsa, ~/.ssh/authorized_keys, ~/.ssh/known_hosts, ~/.bash_history, the full process environment, and host identifiers (hostname, whoami, id, sudo -l), then POSTs the base64-encoded contents over plain HTTP to a hardcoded Burp Collaborator subdomain at pwpzhsrbtvmfqrqr7onqcwnrcii960up.oastify.com. Additional payloads issue curl requests through the installer host to http://tst.woa.com/flag.html and http://tst.woa.com/ssrf_forward.php with an oastify-subdomain host parameter, and POST the response bodies back to the same collaborator endpoint, using the installer as an SSRF relay. The package name ('time-format-kit') has no functional relationship to the observed behavior. ## Source: ossf-package-analysis (013929714a8a46ad664ac923c9ce315df1b9351993cc7d2d06a325d8f0c49009) The OpenSSF Package Analysis project identified 'time-format-kit' @ 1.0.2 (npm) as malicious. It is considered malicious because: - The package communicates with a domain associated with malicious activity. - The package executes one or more commands associated with malicious behavior.
Decision reason
OpenSSF Malicious Packages via OSV confirms time-format-kit@1.0.1 as malicious (MAL-2026-10700): Malicious code in time-format-kit (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory