⛔ Malware Advisory Detected 2026-07-02 · 10:03 UTC
Confirmed malicious. codelake independently detected this at 2026-07-02 · 10:03 UTC — First-catch: codelake detected and classified this from the live npm feed with NO prior public advisory — at the time of writing it is not present in OSV or GHSA. codelake is the source of record.. Not yet in any public advisory database at detection time — codelake is the source of record.
Advisory · CLR-2026-2990

A download-and-execute dropper disguised as a date-formatting utility

The npm package [email protected] advertised itself as a "dates formatting utility with locale support." Its actual behaviour is a supply-chain dropper: a postinstall hook downloads and executes a remote payload from a hardcoded IP on npm install. codelake detected and classified it independently from the live npm feed — before any public advisory existed.

CriticalConfirmed maliciousInstall-hook dropperFirst-catch · not in OSV
Summary

The npm package datefmt-helper (version 1.0.0) impersonated an ordinary date-formatting helper — a plausible name, a matching description, a README and an index.d.ts to look complete. It carried no source repository, and its real function lived in a single install script.

On npm install, a postinstall hook executes automatically and downloads a payload from a hardcoded external IP, then runs it via a child process — the classic download-and-execute supply-chain pattern. A developer who so much as installs the package (directly or transitively) hands code execution to the operator of that endpoint.

This finding was produced entirely by codelake's automated pipeline from the live npm feed. At the time of detection and writing it was present in no public advisory database (OSV / GHSA) — codelake is the source of record.

How codelake detected it

1 · Continuous ingestion. The package was pulled from the npm feed and archived shortly after publication — capturing the artifact independently of any external report.

2 · Multi-tool static scan. Behavioural analysis flagged an install lifecycle hook combining network download primitives with process execution — the signature of a dropper — against a package with no repository and a mismatched, utility-like presentation.

3 · AI malware triage. A language-model reviewer read the assembled signals and the install script and returned a package-level verdict of malicious with a cited reason (download-and-execute from a hardcoded IP).

4 · Deterministic IOC extraction. A verification stage extracted the validated, routable C2 IP (filtering non-routable noise) and cross-checked OSV — which returned nothing, confirming this as a novel first-catch.

The technique — install-hook download-and-execute

1 · Impersonation. The package name and metadata mimic a benign utility ("dates formatting utility with locale support"), lowering suspicion in a dependency list or a typo-driven install.

2 · Auto-execution. A postinstall: node postinstall.js entry runs on install, before the package is ever imported — so the payload fires even if the "utility" is never used.

3 · Remote fetch. The install script reaches out to a hardcoded IP (115.190.124.243) using HTTP / curl / wget primitives to retrieve a second-stage payload.

4 · Execution. The retrieved payload is run via a child process — giving the endpoint operator arbitrary code execution on the victim's machine, with whatever privileges the install ran under (developer workstation or CI runner).

Indicators of Compromise
C2115.190.124.243 (hardcoded remote endpoint — validated routable; payload fetch target)
HOOKpostinstall → node postinstall.js (network download + child-process execution)
PKG[email protected] (npm) — impersonates a "dates formatting utility"; no source repository
SHAf2f58e73becce20f28c6f18700731f48c067826defe8279da2e24e4f69c25c72 · datefmt-helper-1.0.0.tgz
Remediation & hardening
#ActionPriority
01 Assume compromise if installed. Any machine that ran npm install with this package present should be treated as compromised — rotate all credentials/tokens from a clean machine and hunt for persistence. Immediate
02 Block the endpoint. Block 115.190.124.243 and review outbound connections from developer and CI machines during the exposure window. Immediate
03 Neutralise install hooks. Install with lifecycle scripts disabled (--ignore-scripts) where feasible, and pin/lock dependencies — treat postinstall as an execution boundary. High

Detected and classified by codelake Research · continuous npm ingestion · multi-tool static scan · AI malware triage · deterministic IOC extraction and OSV cross-check. At the time of writing, absent from public advisory databases — a codelake first-catch.

No working payload or reproduction is published here — the technique is described. The original artifact is preserved in the codelake archive and available to verified security researchers on request.