date-utils-light @1.0.1
Vulnerability report · Last retrieved from osv.dev July 16, 2026 at 7:58 PM UTC
OSV ID
MAL-2026-10731
Ecosystem
npm
Summary
Package presents itself as a trivial date-formatting utility (index.js exports a one-line ISO date helper) but ships a postinstall.js that runs automatically on npm install. The script shells out via child_process.exec to collect host reconnaissance — hostname, whoami, id, uname, pwd, /etc/os-release, HOME, SHELL, container indicators, /proc/1/cgroup, network interfaces, and running process list — base64-encodes the data, and sends it via HTTP GET to a hardcoded Burp Collaborator subdomain at pwpzhsrbtvmfqrqr7onqcwnrcii960up.oastify.com/ing?d=<base64>. The stated purpose of the package does not require any shell execution or network activity; the install-time reconnaissance beacon is unrelated to the advertised functionality.
Source: amazon-inspector (99bd644fd9a59518d6f77e8d76c077ffef8a2afdc7ae2b00a6ca87299879a671)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.