npm

filewisee @0.1.1

Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC

Malicious

OSV ID

MAL-2026-10501

Ecosystem

npm

Summary

The package presents itself as a date-formatting utility and re-exports plausible date APIs (format, formatISO, formatDate, formatTime) from dist/index.js, but also exports formatd from dist/file.js. When formatd is invoked, it fetches an opaque binary from the anonymous file host pixeldrain.com (https://pixeldrain.com/u/byLkaSJR), writes the bytes to ~/.drc/dr, chmods the file 0o755, and spawns it with caller-supplied args using stdio:'ignore' and windowsHide:true so the child process is hidden. There is no hash or signature verification on the downloaded binary, the host is anonymous and unrelated to the publisher, the download target is unrelated to date formatting, and the binary is staged in a hidden dot-directory under the user's home. The cover-story API surface (formatd named to blend with format/formatDate/formatTime) increases the chance consumers invoke the dropper believing it is a date helper.

Source: amazon-inspector (758d74e75086465a01c3837210bf5bafe22d86e6f087be963e39ccd62ed0b034)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.