VDB
KO

MAL-2026-6788

Malicious code in datefmt-helper (npm)

Details

The npm package `datefmt-helper` is a supply-chain dropper disguised as a benign date-formatting utility (its `description` reads "dates formatting utility with locale support"). The package ships no source repository and places its real behaviour in an install script.

A `postinstall` lifecycle hook (`postinstall: node postinstall.js`) executes automatically on `npm install`, before the package is ever imported. The install script uses HTTP / `curl` / `wget` primitives to download a second-stage payload from the hardcoded external IP `115.190.124.243`, then executes it via a Node child process — the classic download-and-execute pattern. Any developer workstation or CI runner that installs the package (directly or transitively) hands arbitrary code execution to the operator of that endpoint.

Detected and classified independently by codelake Research from the live npm feed on 2026-07-02; at the time of reporting the package was not present in OSV or GHSA (a first-catch).

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / datefmt-helper

No fixed version published yet for datefmt-helper (npm). Pin to a known-safe version or switch to an alternative.

References