npm · Malicious package advisory
Malwarecaspian-day-js
MAL-2026-5892
Malicious code in caspian-day-js (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (895fe8e087ec7af36d61e8a6972f484e70bc1b828374ae83cef9ff4a927f7b55)
caspian-day-js impersonates the popular dayjs package: package.json copies author `iamkun`, homepage `day.js.org`, and repo `github.com/iamkun/dayjs.git`, and ships an unmodified `dayjs.min.js` as `main` so `require('caspian-day-js')` appears functional. The malicious payload is in the lifecycle hook: package.json declares `postinstall: node setup.cjs`. setup.cjs is heavily obfuscated (obfuscator.io-style string-array with a custom base64 decoder) and at install time sets `NODE_TLS_REJECT_UNAUTHORIZED='0'`, fetches a remote JavaScript payload, writes it to `<tmpdir>/<12-hex>.js`, then spawns `process.execPath` on the dropped file (detached, stdio:'ignore', windowsHide:true) with the C2 endpoint `23.254.164.123:443` passed as argv[1], and finally unlinks setup.cjs to erase traces. Every machine running `npm install caspian-day-js` executes attacker-controlled JavaScript with TLS verification disabled, contacting 23.254.164.123:443.
Compromised versions (1)
- 1.11.23
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.