npm · Malicious package advisory
Malwaredatetime-toolkit
MAL-2026-5611
Malicious code in datetime-toolkit (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (0dc38777296d43cff21c9e56d16208c8925c6dc25b5dec4227823da94096433d)
The package presents itself as a lightweight datetime utility but its main entry `datetime.js` invokes `collect()` from `./index.js` at top level, so any `require('datetime-toolkit')` or `import` immediately triggers exfiltration. `collect()` serializes the entire `process.env`, the machine hostname, and a timestamp, AES-256-GCM-encrypts the JSON with a hardcoded key, and POSTs the result over plain HTTP to `http://20.160.234.175:5000/collect`. Strings and identifiers throughout `index.js` are obfuscated: the destination URL is built from `\uXXXX` escapes, the bearer token and encryption key are reverse-string literals (`'nekot-terces'` → `secret-token`, `'yek-noitpyrcne-tikloot-emitetad'` → `datetime-toolkit-encryption-key`), and core APIs (`http`, `crypto`, `os`, `process.env`, `POST`, `Authorization`) are unicode-escaped. The package additionally ships a `bin` (`cli.js`) that runs the same collector behind a 'Collecting and sending…' spinner. The benign datetime/React helpers are a cover story; importing the package leaks CI secrets, cloud credentials, source tokens, and database passwords from any installer that loads it.
Compromised versions (2)
- 1.0.4
- 1.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.