mal-2026-6722
Vulnerability from ossf_malicious_packages
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (4694a079d83e33dcee7f87140c41737009d9f0b19f351c23f2ae3dbce9a47a51)
date-fns-lite@1.0.10 presents as a lightweight date-formatting utility but ships a malicious postinstall.js that runs automatically on npm install. The script harvests installer-side secrets — AWS credentials (~/.aws), GCP application-default credentials, Azure tokens, kubeconfig, SSH private keys and authorized_keys, /etc/shadow, and shell history — using /proc/1/root traversal to reach the host filesystem from inside a container. It also queries the AWS IMDS endpoint (http://169.254.169.254/latest/meta-data/iam/security-credentials/) and GCP metadata service for instance IAM credentials, probes the Docker socket via /proc/1/root/var/run/docker.sock to enumerate containers, and performs internal-network reconnaissance (default-gateway detection, /24 ping sweep, port probes on 22/80/443/3306/6379/9200/27017). The aggregated report is POSTed to a hardcoded bare-IP endpoint at http://115.190.124.243:9082/callback over plain HTTP. The package name mimics the widely-used date-fns library, and index.js contains a small plausible-looking date formatter as cover for the postinstall payload. Installing this package on any host — especially in CI or a container with host mounts — will disclose cloud credentials, SSH keys, and an internal-network map to the attacker.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
{
"affected": [
{
"database_specific": {
"cwes": [
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
}
],
"indicators": {
"evidence_files": [
{
"path": "postinstall.js",
"sha256": "e3f0715ac3e04524b506c4d4a2c3c876a1337bb0c5e845b0d222712472662abf",
"tlsh": "acf197657afb21245a6ad4eaa28f21123510f50b3e04ce94766c47d0bf8a0b8b6773dd"
},
{
"path": "package.json",
"sha256": "d44e4fd7032afcb424ecab971c0d90eed6229f25996ef9af99955630fcfb74d8",
"tlsh": "1be06830082259232ac587e6ed220e477d200d23025cbc1823e3512883ceb7b98fd22e"
}
],
"package_integrity": [
{
"filename": "date-fns-lite-1.0.5.tgz",
"hashes": {
"sha1": "1f6ba05d374fbacf04a92f6fb913fe6231224b39",
"sha512_sri": "sha512-SjGJX0jgJh+dSAy7IFbltbuap26Qn1Y/Iz/43jG3Zc3+0hILPcp8ut7rdXnl5LQpdIwecWhrOvDsOHHp5ZQy6Q=="
}
}
]
}
},
"package": {
"ecosystem": "npm",
"name": "date-fns-lite"
},
"versions": [
"1.0.5",
"1.0.9",
"1.0.11",
"1.0.0",
"1.0.1",
"1.0.6",
"1.0.10",
"1.0.8",
"1.0.2",
"1.0.7",
"1.0.3",
"1.0.12",
"1.0.4"
]
}
],
"credits": [
{
"contact": [
"inspector-research@amazon.com"
],
"name": "Amazon Inspector",
"type": "FINDER"
}
],
"database_specific": {
"malicious-packages-origins": [
{
"id": "IN-MAL-2026-007947",
"import_time": "2026-07-01T22:03:01.364950268Z",
"modified_time": "2026-07-01T21:20:34Z",
"sha256": "0eea3459d7924894dd7a609efe669b9e762bb88e4f939414d6f53fe16788e29f",
"source": "amazon-inspector",
"versions": [
"1.0.5"
]
},
{
"id": "IN-MAL-2026-007942",
"import_time": "2026-07-01T22:03:01.123641375Z",
"modified_time": "2026-07-01T21:19:53Z",
"sha256": "9853105f0307399f6f3f5e7eb836394fd4e73d319237033ab69966466a27342f",
"source": "amazon-inspector",
"versions": [
"1.0.9"
]
},
{
"id": "IN-MAL-2026-007940",
"import_time": "2026-07-01T22:03:01.017391333Z",
"modified_time": "2026-07-01T21:19:37Z",
"sha256": "9af195b8341421ebe7b8f512aad362785fac8589348e8bdd8f88f7722abb40c5",
"source": "amazon-inspector",
"versions": [
"1.0.11"
]
},
{
"id": "IN-MAL-2026-007953",
"import_time": "2026-07-01T22:03:01.745944098Z",
"modified_time": "2026-07-01T21:21:21Z",
"sha256": "ce45aef4b931fbf32e28f1b8faba0ddcb50ec7d31fd4bed58247df5803d1bf6d",
"source": "amazon-inspector",
"versions": [
"1.0.0"
]
},
{
"id": "IN-MAL-2026-007952",
"import_time": "2026-07-01T22:03:01.706103651Z",
"modified_time": "2026-07-01T21:21:14Z",
"sha256": "0f9edf3018d73debfdf5bd44b17c05736bfcf41c6c5af81cbd50f505a9844ca6",
"source": "amazon-inspector",
"versions": [
"1.0.1"
]
},
{
"id": "IN-MAL-2026-007946",
"import_time": "2026-07-01T22:03:01.328937289Z",
"modified_time": "2026-07-01T21:20:25Z",
"sha256": "2e46efde053535d5d1b8c10671e3ada0985ee5cf1d3774925f4d78f5f955bfbd",
"source": "amazon-inspector",
"versions": [
"1.0.6"
]
},
{
"id": "IN-MAL-2026-007944",
"import_time": "2026-07-01T22:03:01.235428566Z",
"modified_time": "2026-07-01T21:20:09Z",
"sha256": "4694a079d83e33dcee7f87140c41737009d9f0b19f351c23f2ae3dbce9a47a51",
"source": "amazon-inspector",
"versions": [
"1.0.10"
]
},
{
"id": "IN-MAL-2026-007945",
"import_time": "2026-07-01T22:03:01.297111308Z",
"modified_time": "2026-07-01T21:20:16Z",
"sha256": "b081b25d3ed80e6fb14012cd428e6b60c1ed7b77ce769f1510f73a2195a1f985",
"source": "amazon-inspector",
"versions": [
"1.0.8"
]
},
{
"id": "IN-MAL-2026-007951",
"import_time": "2026-07-01T22:03:01.619286475Z",
"modified_time": "2026-07-01T21:21:06Z",
"sha256": "ca6dd98e3ea21871ac47c5ff8e0bdacad9543caa8094c1a709666e559dd6cc29",
"source": "amazon-inspector",
"versions": [
"1.0.2"
]
},
{
"id": "IN-MAL-2026-007950",
"import_time": "2026-07-01T22:03:01.517320725Z",
"modified_time": "2026-07-01T21:20:58Z",
"sha256": "f3318b0646ee273862994f3f82e9f10f5509bad27643f60d737407751819e3eb",
"source": "amazon-inspector",
"versions": [
"1.0.7"
]
},
{
"id": "IN-MAL-2026-007949",
"import_time": "2026-07-01T22:03:01.469652495Z",
"modified_time": "2026-07-01T21:20:49Z",
"sha256": "35d8ec9fe8175187d954aa5990d138efda2b727b12a014cda50cdc094a0241c5",
"source": "amazon-inspector",
"versions": [
"1.0.3"
]
},
{
"id": "IN-MAL-2026-007943",
"import_time": "2026-07-01T22:03:01.199460609Z",
"modified_time": "2026-07-01T21:20:00Z",
"sha256": "8d10a0d7bcaa1ec28f749d4cb493ce930f7c59d2b59a627cf1443ebf6e5ed26e",
"source": "amazon-inspector",
"versions": [
"1.0.12"
]
},
{
"id": "IN-MAL-2026-007948",
"import_time": "2026-07-01T22:03:01.424377839Z",
"modified_time": "2026-07-01T21:20:41Z",
"sha256": "980ccf3d2bcf2e7571c3ce0302f1c8a32667e3f57f0b49c2a2dd7b7bfc02fa28",
"source": "amazon-inspector",
"versions": [
"1.0.4"
]
}
]
},
"details": "\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (4694a079d83e33dcee7f87140c41737009d9f0b19f351c23f2ae3dbce9a47a51)\ndate-fns-lite@1.0.10 presents as a lightweight date-formatting utility but ships a malicious postinstall.js that runs automatically on `npm install`. The script harvests installer-side secrets \u2014 AWS credentials (~/.aws), GCP application-default credentials, Azure tokens, kubeconfig, SSH private keys and authorized_keys, /etc/shadow, and shell history \u2014 using /proc/1/root traversal to reach the host filesystem from inside a container. It also queries the AWS IMDS endpoint (http://169.254.169.254/latest/meta-data/iam/security-credentials/) and GCP metadata service for instance IAM credentials, probes the Docker socket via /proc/1/root/var/run/docker.sock to enumerate containers, and performs internal-network reconnaissance (default-gateway detection, /24 ping sweep, port probes on 22/80/443/3306/6379/9200/27017). The aggregated report is POSTed to a hardcoded bare-IP endpoint at http://115.190.124.243:9082/callback over plain HTTP. The package name mimics the widely-used `date-fns` library, and index.js contains a small plausible-looking date formatter as cover for the postinstall payload. Installing this package on any host \u2014 especially in CI or a container with host mounts \u2014 will disclose cloud credentials, SSH keys, and an internal-network map to the attacker.\n",
"id": "MAL-2026-6722",
"modified": "2026-07-01T22:04:50Z",
"published": "2026-07-01T21:19:37Z",
"references": [
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/date-fns-lite/v/1.0.5"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/date-fns-lite/v/1.0.9"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/date-fns-lite/v/1.0.11"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/date-fns-lite/v/1.0.0"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/date-fns-lite/v/1.0.1"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/date-fns-lite/v/1.0.6"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/date-fns-lite/v/1.0.10"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/date-fns-lite/v/1.0.8"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/date-fns-lite/v/1.0.2"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/date-fns-lite/v/1.0.7"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/date-fns-lite/v/1.0.3"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/date-fns-lite/v/1.0.12"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/date-fns-lite/v/1.0.4"
}
],
"schema_version": "1.7.4",
"summary": "Malicious code in date-fns-lite (npm)"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.