@lazyutil/dater @0.9.5

Summary

@lazyutil/dater is a trojanized repackage of the legitimate timezonecomplete library. Its package.json declares postinstall: node./dist/lib/tzinit.cjs , which runs automatically on npm install . tzinit.cjs is a 263 KB obfuscator.io-protected file (string-array RC4/XOR + control-flow flattening) that uses AES-256-GCM with a hardcoded key/IV/AAD to decrypt an embedded URL and host, then performs an HTTP GET to fetch a binary, writes it to disk, chmods it executable, and spawns it via process.execPath or sh -c . The dropper is platform-gated for win32/darwin/linux, retries with backoff, and re-execs the package's process. None of this is required for a date/timezone library and the legitimate upstream has neither a postinstall nor a tzinit.cjs. Trojanization signals: package description is copied verbatim from timezonecomplete , the repository field still points at the upstream author's git URL ( github.com/rogierschouten/timezonecomplete ), homepage points at a placeholder github.com/lazyutil , and author is a fresh ProtonMail identity unrelated to the original maintainer. Installing this package gives an attacker arbitrary code execution on the installer's machine.

Source: amazon-inspector (362ed214c96b3a091355472cb7d03ca7dcb1c3b1c36daede92d4e7a04027cb8a)