npm

npm-show-date-proof-strings @1.0.4

Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 10:29 PM UTC

Malicious

OSV ID

MAL-2026-6791

Ecosystem

npm

Summary

npm-show-date-proof-strings@1.0.4 declares a postinstall script (postinstall.js) that fires automatically on npm install . The script collects the installer's username (whoami/id -un/os.userInfo), hostname, platform, and Node.js version and transmits them as query parameters to the hardcoded endpoint http://testnpm.byte.eyes.sh/npm-date-proof. The advertised library surface (index.js exports formatDate/hello) is unrelated to this network activity and functions as cover for the beacon. The pattern is consistent with a dependency-confusion probe or reconnaissance beacon, delivering installer-side identifying data to an attacker-controlled host over plaintext HTTP with no user consent.

Source: amazon-inspector (2d30ee041cbe9a4b74e08cc0e493901460cc6563874723f620160c73908ed88a)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.