zer0one-dnslog @1.0.9

Summary

The package is published as a 'simple date formatting utility' but ships a postinstall payload that, on npm install , runs a curl pipeline against cloud instance-metadata services to harvest temporary IAM credentials and internal SSRF data, then POSTs the collected output to an attacker-controlled out-of-band host. Specifically, postinstall.js issues curls to AWS metadata at 169.254.169.254 (IAM security-credentials path), Aliyun at 100.100.100.200, Tencent at metadata.tencentyun.com / 169.254.0.23, and Meituan-internal mtsrc-test.sankuai.com, writes the responses to /tmp/aws.txt, /tmp/ali.txt, /tmp/tx.txt, /tmp/tx2.txt, and uploads them via curl -X POST to https://h4mx6b7krgzarfehbutwabxbu20tojc8.oastify.com/metadata along with a listing of /data/. package.json declares "postinstall": "node postinstall.js" , so the harvest fires automatically on default install. On any cloud build host or CI runner this leaks role credentials with full AWS/Aliyun/Tencent access. The advertised purpose mismatches the shipped behavior (index.js is a one-line hello stub), confirming the package is a lure for credential theft, not a date utility.

Source: amazon-inspector (903c45d49e6716373a67196c41e8acfbf8afa3320a635380ffe3403e8f127605)