MAL-2026-10731
Malicious code in date-utils-light (npm)
상세
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (99bd644fd9a59518d6f77e8d76c077ffef8a2afdc7ae2b00a6ca87299879a671) Package presents itself as a trivial date-formatting utility (index.js exports a one-line ISO date helper) but ships a postinstall.js that runs automatically on npm install. The script shells out via child_process.exec to collect host reconnaissance — hostname, whoami, id, uname, pwd, /etc/os-release, HOME, SHELL, container indicators, /proc/1/cgroup, network interfaces, and running process list — base64-encodes the data, and sends it via HTTP GET to a hardcoded Burp Collaborator subdomain at pwpzhsrbtvmfqrqr7onqcwnrcii960up.oastify.com/ing?d=<base64>. The stated purpose of the package does not require any shell execution or network activity; the install-time reconnaissance beacon is unrelated to the advertised functionality.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
No fixed version published yet for date-utils-light (npm). Pin to a known-safe version or switch to an alternative.