VDB
EN

MAL-2026-10587

Malicious code in dayjscore (npm)

상세

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (bd9b2226f2ebbeccf1bcafbec9c51e2b3f13e3a7712dfc22baa79fbb72393b8a) The package's package.json declares scripts.postinstall = "node.init.js", causing.init.js to run automatically on npm install. The script harvests a hardcoded list of roughly 60 credential-shaped environment variables (including NPM_TOKEN, GITHUB_TOKEN, AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY, STRIPE_*, DB_PASSWORD, and other cloud/provider tokens), reads files under the installer's home directory (~/.npmrc, ~/.env*, ~/config.json, ~/credentials.json), and enumerates ~/.config/* for filenames containing token/cred/secret. It additionally collects host identifiers (os.hostname(), os.platform(), process.cwd(), process.pid, timestamp) and POSTs the resulting JSON via https.request to a hardcoded webhook.cool endpoint (tender-deer-80). The package name mimics the popular dayjs library.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

npm / dayjscore

No fixed version published yet for dayjscore (npm). Pin to a known-safe version or switch to an alternative.

참고