MAL-2026-6308

@lazyutil/dater (malicious versions 0.8.1, 0.9.2, 0.9.3, and 0.9.4, published by lazyutil-78muyg@wshu.net) is a trojanized npm package belonging to the wshu.net credential-stealer campaign. The campaign published trojanized look-alike utility packages across 12+ scopes whose publisher accounts all follow the pattern <scope>-<6 random chars>@wshu.net, with every scope created on June 4, 2026 in a ~40-minute burst. This package masquerades as a date library and ships real, working utility code so it passes a glance, while bundling a much larger malicious payload (lib/tzinit.js in the earliest variant, dist/lib/tzinit.cjs thereafter). package.json declares a postinstall hook (e.g. "node ./dist/lib/tzinit.cjs") that runs the payload automatically on npm install. The payload is heavily obfuscated with javascript-obfuscator (hex-named identifiers, a while (!![]) array-rotation IIFE, base64+RC4 string decoding, control-flow flattening, and runtime-decrypted module resolution to stay out of the static module graph). At runtime it is a Chromium browser credential stealer: it reads Chromium Cookies and Login Data and decrypts saved passwords protected by AES-256-GCM (the v10/v11 app-bound key schemes), then exfiltrates them over HTTPS using a spoofed Mozilla/5.0 user agent. Consistent with the campaign, the dangerous versions sit in mid-ranges while the latest tag (0.9.5) points to a scrubbed release with an empty scripts block. The 0.9.4 payload blob is byte-identical to @glitchpad/throttler@2.2.3 from the same campaign. Malicious payload dist/lib/tzinit.cjs (0.9.4) SHA-256: 68b4fe54a4c05cd0115535ebd4aa8d3cccb03ea5a685f440314814ba1b89e875.

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (362ed214c96b3a091355472cb7d03ca7dcb1c3b1c36daede92d4e7a04027cb8a) @lazyutil/dater is a trojanized repackage of the legitimate `timezonecomplete` library. Its package.json declares `postinstall: node./dist/lib/tzinit.cjs`, which runs automatically on `npm install`. tzinit.cjs is a 263 KB obfuscator.io-protected file (string-array RC4/XOR + control-flow flattening) that uses AES-256-GCM with a hardcoded key/IV/AAD to decrypt an embedded URL and host, then performs an HTTP GET to fetch a binary, writes it to disk, chmods it executable, and spawns it via `process.execPath` or `sh -c`. The dropper is platform-gated for win32/darwin/linux, retries with backoff, and re-execs the package's process. None of this is required for a date/timezone library and the legitimate upstream has neither a postinstall nor a tzinit.cjs. Trojanization signals: package description is copied verbatim from `timezonecomplete`, the `repository` field still points at the upstream author's git URL (`github.com/rogierschouten/timezonecomplete`), `homepage` points at a placeholder `github.com/lazyutil`, and `author` is a fresh ProtonMail identity unrelated to the original maintainer. Installing this package gives an attacker arbitrary code execution on the installer's machine.