npm

time-format-kit @1.0.2

Vulnerability report · Last retrieved from osv.dev July 16, 2026 at 7:58 PM UTC

Malicious

OSV ID

MAL-2026-10700

Ecosystem

npm

Summary

On npm install, the package's postinstall script decodes base64-encoded shell payloads and executes them via an obfuscated child_process.exec lookup (require('ch'+'il'+'d_p'+'rocess')['e'+'xec']). The shell payload reads ~/.aws/credentials, ~/.ssh/id_rsa, ~/.ssh/authorized_keys, ~/.ssh/known_hosts, ~/.bash_history, the full process environment, and host identifiers (hostname, whoami, id, sudo -l), then POSTs the base64-encoded contents over plain HTTP to a hardcoded Burp Collaborator subdomain at pwpzhsrbtvmfqrqr7onqcwnrcii960up.oastify.com. Additional payloads issue curl requests through the installer host to http://tst.woa.com/flag.html and http://tst.woa.com/ssrf_forward.php with an oastify-subdomain host parameter, and POST the response bodies back to the same collaborator endpoint, using the installer as an SSRF relay. The package name ('time-format-kit') has no functional relationship to the observed behavior.

Source: amazon-inspector (168d334d742003cf94d8b87ba56cd72694081ade01f6814062e58ebdc47d8594)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.