mal-2026-6722
Vulnerability from ossf_malicious_packages
Published
2026-07-01 21:19
Modified
2026-07-01 22:04
Summary
Malicious code in date-fns-lite (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (4694a079d83e33dcee7f87140c41737009d9f0b19f351c23f2ae3dbce9a47a51)

date-fns-lite@1.0.10 presents as a lightweight date-formatting utility but ships a malicious postinstall.js that runs automatically on npm install. The script harvests installer-side secrets — AWS credentials (~/.aws), GCP application-default credentials, Azure tokens, kubeconfig, SSH private keys and authorized_keys, /etc/shadow, and shell history — using /proc/1/root traversal to reach the host filesystem from inside a container. It also queries the AWS IMDS endpoint (http://169.254.169.254/latest/meta-data/iam/security-credentials/) and GCP metadata service for instance IAM credentials, probes the Docker socket via /proc/1/root/var/run/docker.sock to enumerate containers, and performs internal-network reconnaissance (default-gateway detection, /24 ping sweep, port probes on 22/80/443/3306/6379/9200/27017). The aggregated report is POSTed to a hardcoded bare-IP endpoint at http://115.190.124.243:9082/callback over plain HTTP. The package name mimics the widely-used date-fns library, and index.js contains a small plausible-looking date formatter as cover for the postinstall payload. Installing this package on any host — especially in CI or a container with host mounts — will disclose cloud credentials, SSH keys, and an internal-network map to the attacker.

CWE
  • CWE-506 - The product contains code that appears to be malicious in nature.
  • CWE-506 - The product contains code that appears to be malicious in nature.
  • CWE-506 - The product contains code that appears to be malicious in nature.
  • CWE-506 - The product contains code that appears to be malicious in nature.
  • CWE-506 - The product contains code that appears to be malicious in nature.
  • CWE-506 - The product contains code that appears to be malicious in nature.
  • CWE-506 - The product contains code that appears to be malicious in nature.
  • CWE-506 - The product contains code that appears to be malicious in nature.
  • CWE-506 - The product contains code that appears to be malicious in nature.
  • CWE-506 - The product contains code that appears to be malicious in nature.
  • CWE-506 - The product contains code that appears to be malicious in nature.
  • CWE-506 - The product contains code that appears to be malicious in nature.
  • CWE-506 - The product contains code that appears to be malicious in nature.
Credits

{
  "affected": [
    {
      "database_specific": {
        "cwes": [
          {
            "cweId": "CWE-506",
            "description": "The product contains code that appears to be malicious in nature.",
            "name": "Embedded Malicious Code"
          },
          {
            "cweId": "CWE-506",
            "description": "The product contains code that appears to be malicious in nature.",
            "name": "Embedded Malicious Code"
          },
          {
            "cweId": "CWE-506",
            "description": "The product contains code that appears to be malicious in nature.",
            "name": "Embedded Malicious Code"
          },
          {
            "cweId": "CWE-506",
            "description": "The product contains code that appears to be malicious in nature.",
            "name": "Embedded Malicious Code"
          },
          {
            "cweId": "CWE-506",
            "description": "The product contains code that appears to be malicious in nature.",
            "name": "Embedded Malicious Code"
          },
          {
            "cweId": "CWE-506",
            "description": "The product contains code that appears to be malicious in nature.",
            "name": "Embedded Malicious Code"
          },
          {
            "cweId": "CWE-506",
            "description": "The product contains code that appears to be malicious in nature.",
            "name": "Embedded Malicious Code"
          },
          {
            "cweId": "CWE-506",
            "description": "The product contains code that appears to be malicious in nature.",
            "name": "Embedded Malicious Code"
          },
          {
            "cweId": "CWE-506",
            "description": "The product contains code that appears to be malicious in nature.",
            "name": "Embedded Malicious Code"
          },
          {
            "cweId": "CWE-506",
            "description": "The product contains code that appears to be malicious in nature.",
            "name": "Embedded Malicious Code"
          },
          {
            "cweId": "CWE-506",
            "description": "The product contains code that appears to be malicious in nature.",
            "name": "Embedded Malicious Code"
          },
          {
            "cweId": "CWE-506",
            "description": "The product contains code that appears to be malicious in nature.",
            "name": "Embedded Malicious Code"
          },
          {
            "cweId": "CWE-506",
            "description": "The product contains code that appears to be malicious in nature.",
            "name": "Embedded Malicious Code"
          }
        ],
        "indicators": {
          "evidence_files": [
            {
              "path": "postinstall.js",
              "sha256": "e3f0715ac3e04524b506c4d4a2c3c876a1337bb0c5e845b0d222712472662abf",
              "tlsh": "acf197657afb21245a6ad4eaa28f21123510f50b3e04ce94766c47d0bf8a0b8b6773dd"
            },
            {
              "path": "package.json",
              "sha256": "d44e4fd7032afcb424ecab971c0d90eed6229f25996ef9af99955630fcfb74d8",
              "tlsh": "1be06830082259232ac587e6ed220e477d200d23025cbc1823e3512883ceb7b98fd22e"
            }
          ],
          "package_integrity": [
            {
              "filename": "date-fns-lite-1.0.5.tgz",
              "hashes": {
                "sha1": "1f6ba05d374fbacf04a92f6fb913fe6231224b39",
                "sha512_sri": "sha512-SjGJX0jgJh+dSAy7IFbltbuap26Qn1Y/Iz/43jG3Zc3+0hILPcp8ut7rdXnl5LQpdIwecWhrOvDsOHHp5ZQy6Q=="
              }
            }
          ]
        }
      },
      "package": {
        "ecosystem": "npm",
        "name": "date-fns-lite"
      },
      "versions": [
        "1.0.5",
        "1.0.9",
        "1.0.11",
        "1.0.0",
        "1.0.1",
        "1.0.6",
        "1.0.10",
        "1.0.8",
        "1.0.2",
        "1.0.7",
        "1.0.3",
        "1.0.12",
        "1.0.4"
      ]
    }
  ],
  "credits": [
    {
      "contact": [
        "inspector-research@amazon.com"
      ],
      "name": "Amazon Inspector",
      "type": "FINDER"
    }
  ],
  "database_specific": {
    "malicious-packages-origins": [
      {
        "id": "IN-MAL-2026-007947",
        "import_time": "2026-07-01T22:03:01.364950268Z",
        "modified_time": "2026-07-01T21:20:34Z",
        "sha256": "0eea3459d7924894dd7a609efe669b9e762bb88e4f939414d6f53fe16788e29f",
        "source": "amazon-inspector",
        "versions": [
          "1.0.5"
        ]
      },
      {
        "id": "IN-MAL-2026-007942",
        "import_time": "2026-07-01T22:03:01.123641375Z",
        "modified_time": "2026-07-01T21:19:53Z",
        "sha256": "9853105f0307399f6f3f5e7eb836394fd4e73d319237033ab69966466a27342f",
        "source": "amazon-inspector",
        "versions": [
          "1.0.9"
        ]
      },
      {
        "id": "IN-MAL-2026-007940",
        "import_time": "2026-07-01T22:03:01.017391333Z",
        "modified_time": "2026-07-01T21:19:37Z",
        "sha256": "9af195b8341421ebe7b8f512aad362785fac8589348e8bdd8f88f7722abb40c5",
        "source": "amazon-inspector",
        "versions": [
          "1.0.11"
        ]
      },
      {
        "id": "IN-MAL-2026-007953",
        "import_time": "2026-07-01T22:03:01.745944098Z",
        "modified_time": "2026-07-01T21:21:21Z",
        "sha256": "ce45aef4b931fbf32e28f1b8faba0ddcb50ec7d31fd4bed58247df5803d1bf6d",
        "source": "amazon-inspector",
        "versions": [
          "1.0.0"
        ]
      },
      {
        "id": "IN-MAL-2026-007952",
        "import_time": "2026-07-01T22:03:01.706103651Z",
        "modified_time": "2026-07-01T21:21:14Z",
        "sha256": "0f9edf3018d73debfdf5bd44b17c05736bfcf41c6c5af81cbd50f505a9844ca6",
        "source": "amazon-inspector",
        "versions": [
          "1.0.1"
        ]
      },
      {
        "id": "IN-MAL-2026-007946",
        "import_time": "2026-07-01T22:03:01.328937289Z",
        "modified_time": "2026-07-01T21:20:25Z",
        "sha256": "2e46efde053535d5d1b8c10671e3ada0985ee5cf1d3774925f4d78f5f955bfbd",
        "source": "amazon-inspector",
        "versions": [
          "1.0.6"
        ]
      },
      {
        "id": "IN-MAL-2026-007944",
        "import_time": "2026-07-01T22:03:01.235428566Z",
        "modified_time": "2026-07-01T21:20:09Z",
        "sha256": "4694a079d83e33dcee7f87140c41737009d9f0b19f351c23f2ae3dbce9a47a51",
        "source": "amazon-inspector",
        "versions": [
          "1.0.10"
        ]
      },
      {
        "id": "IN-MAL-2026-007945",
        "import_time": "2026-07-01T22:03:01.297111308Z",
        "modified_time": "2026-07-01T21:20:16Z",
        "sha256": "b081b25d3ed80e6fb14012cd428e6b60c1ed7b77ce769f1510f73a2195a1f985",
        "source": "amazon-inspector",
        "versions": [
          "1.0.8"
        ]
      },
      {
        "id": "IN-MAL-2026-007951",
        "import_time": "2026-07-01T22:03:01.619286475Z",
        "modified_time": "2026-07-01T21:21:06Z",
        "sha256": "ca6dd98e3ea21871ac47c5ff8e0bdacad9543caa8094c1a709666e559dd6cc29",
        "source": "amazon-inspector",
        "versions": [
          "1.0.2"
        ]
      },
      {
        "id": "IN-MAL-2026-007950",
        "import_time": "2026-07-01T22:03:01.517320725Z",
        "modified_time": "2026-07-01T21:20:58Z",
        "sha256": "f3318b0646ee273862994f3f82e9f10f5509bad27643f60d737407751819e3eb",
        "source": "amazon-inspector",
        "versions": [
          "1.0.7"
        ]
      },
      {
        "id": "IN-MAL-2026-007949",
        "import_time": "2026-07-01T22:03:01.469652495Z",
        "modified_time": "2026-07-01T21:20:49Z",
        "sha256": "35d8ec9fe8175187d954aa5990d138efda2b727b12a014cda50cdc094a0241c5",
        "source": "amazon-inspector",
        "versions": [
          "1.0.3"
        ]
      },
      {
        "id": "IN-MAL-2026-007943",
        "import_time": "2026-07-01T22:03:01.199460609Z",
        "modified_time": "2026-07-01T21:20:00Z",
        "sha256": "8d10a0d7bcaa1ec28f749d4cb493ce930f7c59d2b59a627cf1443ebf6e5ed26e",
        "source": "amazon-inspector",
        "versions": [
          "1.0.12"
        ]
      },
      {
        "id": "IN-MAL-2026-007948",
        "import_time": "2026-07-01T22:03:01.424377839Z",
        "modified_time": "2026-07-01T21:20:41Z",
        "sha256": "980ccf3d2bcf2e7571c3ce0302f1c8a32667e3f57f0b49c2a2dd7b7bfc02fa28",
        "source": "amazon-inspector",
        "versions": [
          "1.0.4"
        ]
      }
    ]
  },
  "details": "\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (4694a079d83e33dcee7f87140c41737009d9f0b19f351c23f2ae3dbce9a47a51)\ndate-fns-lite@1.0.10 presents as a lightweight date-formatting utility but ships a malicious postinstall.js that runs automatically on `npm install`. The script harvests installer-side secrets \u2014 AWS credentials (~/.aws), GCP application-default credentials, Azure tokens, kubeconfig, SSH private keys and authorized_keys, /etc/shadow, and shell history \u2014 using /proc/1/root traversal to reach the host filesystem from inside a container. It also queries the AWS IMDS endpoint (http://169.254.169.254/latest/meta-data/iam/security-credentials/) and GCP metadata service for instance IAM credentials, probes the Docker socket via /proc/1/root/var/run/docker.sock to enumerate containers, and performs internal-network reconnaissance (default-gateway detection, /24 ping sweep, port probes on 22/80/443/3306/6379/9200/27017). The aggregated report is POSTed to a hardcoded bare-IP endpoint at http://115.190.124.243:9082/callback over plain HTTP. The package name mimics the widely-used `date-fns` library, and index.js contains a small plausible-looking date formatter as cover for the postinstall payload. Installing this package on any host \u2014 especially in CI or a container with host mounts \u2014 will disclose cloud credentials, SSH keys, and an internal-network map to the attacker.\n",
  "id": "MAL-2026-6722",
  "modified": "2026-07-01T22:04:50Z",
  "published": "2026-07-01T21:19:37Z",
  "references": [
    {
      "type": "PACKAGE",
      "url": "https://www.npmjs.com/package/date-fns-lite/v/1.0.5"
    },
    {
      "type": "PACKAGE",
      "url": "https://www.npmjs.com/package/date-fns-lite/v/1.0.9"
    },
    {
      "type": "PACKAGE",
      "url": "https://www.npmjs.com/package/date-fns-lite/v/1.0.11"
    },
    {
      "type": "PACKAGE",
      "url": "https://www.npmjs.com/package/date-fns-lite/v/1.0.0"
    },
    {
      "type": "PACKAGE",
      "url": "https://www.npmjs.com/package/date-fns-lite/v/1.0.1"
    },
    {
      "type": "PACKAGE",
      "url": "https://www.npmjs.com/package/date-fns-lite/v/1.0.6"
    },
    {
      "type": "PACKAGE",
      "url": "https://www.npmjs.com/package/date-fns-lite/v/1.0.10"
    },
    {
      "type": "PACKAGE",
      "url": "https://www.npmjs.com/package/date-fns-lite/v/1.0.8"
    },
    {
      "type": "PACKAGE",
      "url": "https://www.npmjs.com/package/date-fns-lite/v/1.0.2"
    },
    {
      "type": "PACKAGE",
      "url": "https://www.npmjs.com/package/date-fns-lite/v/1.0.7"
    },
    {
      "type": "PACKAGE",
      "url": "https://www.npmjs.com/package/date-fns-lite/v/1.0.3"
    },
    {
      "type": "PACKAGE",
      "url": "https://www.npmjs.com/package/date-fns-lite/v/1.0.12"
    },
    {
      "type": "PACKAGE",
      "url": "https://www.npmjs.com/package/date-fns-lite/v/1.0.4"
    }
  ],
  "schema_version": "1.7.4",
  "summary": "Malicious code in date-fns-lite (npm)"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…