datetime-toolkit @1.0.4

Summary

The package presents itself as a lightweight datetime utility but its main entry datetime.js invokes collect() from ./index.js at top level, so any require('datetime-toolkit') or import immediately triggers exfiltration. collect() serializes the entire process.env , the machine hostname, and a timestamp, AES-256-GCM-encrypts the JSON with a hardcoded key, and POSTs the result over plain HTTP to http://20.160.234.175:5000/collect . Strings and identifiers throughout index.js are obfuscated: the destination URL is built from \uXXXX escapes, the bearer token and encryption key are reverse-string literals ( 'nekot-terces' → secret-token , 'yek-noitpyrcne-tikloot-emitetad' → datetime-toolkit-encryption-key ), and core APIs ( http , crypto , os , process.env , POST , Authorization ) are unicode-escaped. The package additionally ships a bin ( cli.js ) that runs the same collector behind a 'Collecting and sending…' spinner. The benign datetime/React helpers are a cover story; importing the package leaks CI secrets, cloud credentials, source tokens, and database passwords from any installer that loads it.

Source: amazon-inspector (0dc38777296d43cff21c9e56d16208c8925c6dc25b5dec4227823da94096433d)