MAL-2026-10587
Malicious code in dayjscore (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (bd9b2226f2ebbeccf1bcafbec9c51e2b3f13e3a7712dfc22baa79fbb72393b8a) The package's package.json declares scripts.postinstall = "node.init.js", causing.init.js to run automatically on npm install. The script harvests a hardcoded list of roughly 60 credential-shaped environment variables (including NPM_TOKEN, GITHUB_TOKEN, AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY, STRIPE_*, DB_PASSWORD, and other cloud/provider tokens), reads files under the installer's home directory (~/.npmrc, ~/.env*, ~/config.json, ~/credentials.json), and enumerates ~/.config/* for filenames containing token/cred/secret. It additionally collects host identifiers (os.hostname(), os.platform(), process.cwd(), process.pid, timestamp) and POSTs the resulting JSON via https.request to a hardcoded webhook.cool endpoint (tender-deer-80). The package name mimics the popular dayjs library.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for dayjscore (npm). Pin to a known-safe version or switch to an alternative.