VYPR

npm · Malicious package advisory

Malware

npm-show-date-proof-strings

MAL-2026-6791

Malicious code in npm-show-date-proof-strings (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (884f2797ddf6247c906bb97e72b3c0891551b260980811d50c7211ab2ea0bbcf)
The package's postinstall.js runs on every `npm install` and collects the installer's username (via `whoami` and `os.userInfo()`), hostname (`os.hostname()`), platform (`process.platform`), and Node version, then transmits them as query parameters via `https.get()` to a hardcoded endpoint at https://testnpm.byte.eyes.sh/npm-proof. The destination is author-controlled and undocumented; the installer has no opportunity to opt out. The package name ("npm-show-date-proof-strings") and an embedded NONCE string ("proof-2026-change-this-random-string") indicate this is a proof-of-execution beacon, but regardless of framing, it is unconsented host-identifier collection on install with no legitimate installer-facing purpose.

## Source: ossf-package-analysis (a2ca450bd74580e87a2f428fd6fcfe66ac30e7a2a88e214da7d3628915549db6)
The OpenSSF Package Analysis project identified 'npm-show-date-proof-strings' @ 1.0.3 (npm) as malicious.

It is considered malicious because:

- The package executes one or more commands associated with malicious behavior.

Compromised versions (2)

  • 1.0.3
  • 1.0.4

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.