A download-and-execute dropper disguised as a date-formatting utility
The npm package [email protected] advertised itself as a "dates formatting utility with locale support." Its actual behaviour is a supply-chain dropper: a postinstall hook downloads and executes a remote payload from a hardcoded IP on npm install. codelake detected and classified it independently from the live npm feed — before any public advisory existed.
The npm package datefmt-helper (version 1.0.0) impersonated an ordinary date-formatting helper — a plausible name, a matching description, a README and an index.d.ts to look complete. It carried no source repository, and its real function lived in a single install script.
On npm install, a postinstall hook executes automatically and downloads a payload from a hardcoded external IP, then runs it via a child process — the classic download-and-execute supply-chain pattern. A developer who so much as installs the package (directly or transitively) hands code execution to the operator of that endpoint.
This finding was produced entirely by codelake's automated pipeline from the live npm feed. At the time of detection and writing it was present in no public advisory database (OSV / GHSA) — codelake is the source of record.
1 · Continuous ingestion. The package was pulled from the npm feed and archived shortly after publication — capturing the artifact independently of any external report.
2 · Multi-tool static scan. Behavioural analysis flagged an install lifecycle hook combining network download primitives with process execution — the signature of a dropper — against a package with no repository and a mismatched, utility-like presentation.
3 · AI malware triage. A language-model reviewer read the assembled signals and the install script and returned a package-level verdict of malicious with a cited reason (download-and-execute from a hardcoded IP).
4 · Deterministic IOC extraction. A verification stage extracted the validated, routable C2 IP (filtering non-routable noise) and cross-checked OSV — which returned nothing, confirming this as a novel first-catch.
1 · Impersonation. The package name and metadata mimic a benign utility ("dates formatting utility with locale support"), lowering suspicion in a dependency list or a typo-driven install.
2 · Auto-execution. A postinstall: node postinstall.js entry runs on install, before the package is ever imported — so the payload fires even if the "utility" is never used.
3 · Remote fetch. The install script reaches out to a hardcoded IP (115.190.124.243) using HTTP / curl / wget primitives to retrieve a second-stage payload.
4 · Execution. The retrieved payload is run via a child process — giving the endpoint operator arbitrary code execution on the victim's machine, with whatever privileges the install ran under (developer workstation or CI runner).
Detected and classified by codelake Research · continuous npm ingestion · multi-tool static scan · AI malware triage · deterministic IOC extraction and OSV cross-check. At the time of writing, absent from public advisory databases — a codelake first-catch.
No working payload or reproduction is published here — the technique is described. The original artifact is preserved in the codelake archive and available to verified security researchers on request.