Malicious code in datefmt-helper (npm)
MAL-2026-6788
Published · Modified
Description
The npm package datefmt-helper is a supply-chain dropper disguised as a benign date-formatting utility (its description reads "dates formatting utility with locale support"). The package ships no source repository and places its real behaviour in an install script.
A postinstall lifecycle hook (postinstall: node postinstall.js) executes automatically on npm install, before the package is ever imported. The install script uses HTTP / curl / wget primitives to download a second-stage payload from the hardcoded external IP 115.190.124.243, then executes it via a Node child process — the classic download-and-execute pattern. Any developer workstation or CI runner that installs the package (directly or transitively) hands arbitrary code execution to the operator of that endpoint.
Detected and classified independently by codelake Research from the live npm feed on 2026-07-02; at the time of reporting the package was not present in OSV or GHSA (a first-catch).
References
Ready to move
Start Securing
Free, no credit card | First findings in minutes