A date-utility dropper — and the campaign it belongs to
The npm package [email protected] advertised itself as a "Lightweight date formatting utility with locale support." Its actual behaviour is a supply-chain dropper: a postinstall hook downloads and executes a remote payload from a hardcoded IP on npm install. It is a near-identical twin of datefmt-helper (CLR-2026-2990) and part of a coordinated campaign of date-utility droppers — surfaced by codelake's dropper-hunting pipeline before any public advisory for this package existed.
The npm package fmt-date-lite (version 1.0.0) impersonated an ordinary date-formatting helper — a plausible name, a matching description ("Lightweight date formatting utility with locale support"), a README and an index.d.ts to look complete. It shipped just six files, carried no source repository and no dependencies, and placed its real function in a single install script.
On npm install, a postinstall hook executes automatically and downloads a payload from a hardcoded external endpoint, then runs it via a child process — the classic download-and-execute supply-chain pattern. A developer who so much as installs the package (directly or transitively) hands code execution to the operator of that endpoint.
This finding was produced entirely by codelake's automated pipeline from the live npm feed. At the time of detection and writing, fmt-date-lite was present in no public advisory database (OSV / GHSA) — codelake is the source of record.
fmt-date-lite is not an isolated package. It is a member of a coordinated campaign that reuses one template — a thin "date/time formatting utility" shell with a postinstall download-and-execute hook pointing at raw IP infrastructure in a single 115–155.190.124.0/8 neighbourhood:
· datefmt-helper — "dates formatting utility with locale support" → C2 115.190.124.243. Documented by codelake as CLR-2026-2990 (also a first-catch).
· date-fns-lite — same shell, same C2 115.190.124.243. Now catalogued as OSV MAL-2026-6722 — independent confirmation that this cluster is live and malicious.
· fmt-date-lite (this advisory) — "Lightweight date formatting utility with locale support" → C2 155.190.124.243:6788. The near-verbatim description reuse and the adjacent C2 address place it firmly in the same operation.
The shared template + shared infrastructure is the point: this is not one bad package but a typosquat-style production line of interchangeable date-utility droppers. codelake surfaced fmt-date-lite by ranking packages whose install-run script is itself flagged and whose download target is a raw public IP — the discriminator that separates real droppers from legitimate install-time binary bootstrappers.
1 · Continuous ingestion. The package was pulled from the npm feed and archived shortly after publication — capturing the artifact independently of any external report.
2 · Structural dropper filter. The package surfaced in codelake's dropper queue: an install lifecycle hook whose auto-run script (postinstall.js) was itself flagged for combining network fetch with process execution (child_process / execSync), in a tiny package with no repository — the signature of an install-time dropper, not a legitimate CLI.
3 · Download-target verification. A deterministic pass extracted the install script's download target and identified it as a raw, routable public IP (155.190.124.243:6788) rather than a vendor domain or a package registry — the decisive malware discriminator.
4 · Campaign correlation + OSV cross-check. The C2 address and the description template were correlated to the known sibling packages (datefmt-helper, date-fns-lite), and OSV was queried for fmt-date-lite itself — which returned nothing, confirming this package as a novel first-catch within an already-confirmed campaign.
Detected and classified by codelake Research · continuous npm ingestion · structural dropper filter · deterministic download-target extraction · campaign correlation and OSV cross-check. At the time of writing, absent from public advisory databases — a codelake first-catch within an already-confirmed campaign.
No working payload or reproduction is published here — the technique is described. The original artifact is preserved in the codelake archive and available to verified security researchers on request.