npm · Malicious package advisory
Malwarenpm-show-date-proof-strings
MAL-2026-6791
Malicious code in npm-show-date-proof-strings (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (884f2797ddf6247c906bb97e72b3c0891551b260980811d50c7211ab2ea0bbcf)
The package's postinstall.js runs on every `npm install` and collects the installer's username (via `whoami` and `os.userInfo()`), hostname (`os.hostname()`), platform (`process.platform`), and Node version, then transmits them as query parameters via `https.get()` to a hardcoded endpoint at https://testnpm.byte.eyes.sh/npm-proof. The destination is author-controlled and undocumented; the installer has no opportunity to opt out. The package name ("npm-show-date-proof-strings") and an embedded NONCE string ("proof-2026-change-this-random-string") indicate this is a proof-of-execution beacon, but regardless of framing, it is unconsented host-identifier collection on install with no legitimate installer-facing purpose.
## Source: ossf-package-analysis (a2ca450bd74580e87a2f428fd6fcfe66ac30e7a2a88e214da7d3628915549db6)
The OpenSSF Package Analysis project identified 'npm-show-date-proof-strings' @ 1.0.3 (npm) as malicious.
It is considered malicious because:
- The package executes one or more commands associated with malicious behavior.
Compromised versions (2)
- 1.0.3
- 1.0.4
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.