⛔ Malware Advisory Detected 2026-07-01 · 12:59 UTC
Confirmed malicious. codelake independently detected this at 2026-07-01 · 12:59 UTC — First-catch: codelake detected and classified fmt-date-lite from the live npm feed with NO prior public advisory for this package — at the time of writing it is not present in OSV or GHSA. codelake is the source of record. It is, however, a confirmed member of a coordinated campaign whose siblings ARE catalogued (datefmt-helper / CLR-2026-2990; date-fns-lite / OSV MAL-2026-6722).. Not yet in any public advisory database at detection time — codelake is the source of record.
Advisory · CLR-2026-2991

A date-utility dropper — and the campaign it belongs to

The npm package [email protected] advertised itself as a "Lightweight date formatting utility with locale support." Its actual behaviour is a supply-chain dropper: a postinstall hook downloads and executes a remote payload from a hardcoded IP on npm install. It is a near-identical twin of datefmt-helper (CLR-2026-2990) and part of a coordinated campaign of date-utility droppers — surfaced by codelake's dropper-hunting pipeline before any public advisory for this package existed.

CriticalConfirmed maliciousInstall-hook dropperCampaign memberFirst-catch · not in OSV
Summary

The npm package fmt-date-lite (version 1.0.0) impersonated an ordinary date-formatting helper — a plausible name, a matching description ("Lightweight date formatting utility with locale support"), a README and an index.d.ts to look complete. It shipped just six files, carried no source repository and no dependencies, and placed its real function in a single install script.

On npm install, a postinstall hook executes automatically and downloads a payload from a hardcoded external endpoint, then runs it via a child process — the classic download-and-execute supply-chain pattern. A developer who so much as installs the package (directly or transitively) hands code execution to the operator of that endpoint.

This finding was produced entirely by codelake's automated pipeline from the live npm feed. At the time of detection and writing, fmt-date-lite was present in no public advisory database (OSV / GHSA) — codelake is the source of record.

Part of a coordinated date-utility dropper campaign

fmt-date-lite is not an isolated package. It is a member of a coordinated campaign that reuses one template — a thin "date/time formatting utility" shell with a postinstall download-and-execute hook pointing at raw IP infrastructure in a single 115–155.190.124.0/8 neighbourhood:

· datefmt-helper — "dates formatting utility with locale support" → C2 115.190.124.243. Documented by codelake as CLR-2026-2990 (also a first-catch).

· date-fns-lite — same shell, same C2 115.190.124.243. Now catalogued as OSV MAL-2026-6722 — independent confirmation that this cluster is live and malicious.

· fmt-date-lite (this advisory) — "Lightweight date formatting utility with locale support" → C2 155.190.124.243:6788. The near-verbatim description reuse and the adjacent C2 address place it firmly in the same operation.

The shared template + shared infrastructure is the point: this is not one bad package but a typosquat-style production line of interchangeable date-utility droppers. codelake surfaced fmt-date-lite by ranking packages whose install-run script is itself flagged and whose download target is a raw public IP — the discriminator that separates real droppers from legitimate install-time binary bootstrappers.

How codelake detected it

1 · Continuous ingestion. The package was pulled from the npm feed and archived shortly after publication — capturing the artifact independently of any external report.

2 · Structural dropper filter. The package surfaced in codelake's dropper queue: an install lifecycle hook whose auto-run script (postinstall.js) was itself flagged for combining network fetch with process execution (child_process / execSync), in a tiny package with no repository — the signature of an install-time dropper, not a legitimate CLI.

3 · Download-target verification. A deterministic pass extracted the install script's download target and identified it as a raw, routable public IP (155.190.124.243:6788) rather than a vendor domain or a package registry — the decisive malware discriminator.

4 · Campaign correlation + OSV cross-check. The C2 address and the description template were correlated to the known sibling packages (datefmt-helper, date-fns-lite), and OSV was queried for fmt-date-lite itself — which returned nothing, confirming this package as a novel first-catch within an already-confirmed campaign.

Indicators of Compromise
C2155.190.124.243:6788 (hardcoded remote endpoint — validated routable; payload fetch target)
HOOKpostinstall → node postinstall.js (network fetch + child_process / execSync execution)
PKG[email protected] (npm) — impersonates a "Lightweight date formatting utility"; 6 files, no repository, no deps
SHA987872707c668af0739f7d0193c1db906eb87e0749a5801a8a166a0aa2735136 · fmt-date-lite-1.0.0.tgz
C2115.190.124.243 (sibling C2 — datefmt-helper / CLR-2026-2990 and date-fns-lite / OSV MAL-2026-6722)
Remediation & hardening
#ActionPriority
01 Assume compromise if installed. Any machine that ran npm install with this package present should be treated as compromised — rotate all credentials/tokens from a clean machine and hunt for persistence. Immediate
02 Block the endpoints. Block 155.190.124.243 and 115.190.124.243 and review outbound connections from developer and CI machines during the exposure window. Immediate
03 Neutralise install hooks. Install with lifecycle scripts disabled (--ignore-scripts) where feasible, and pin/lock dependencies — treat postinstall as an execution boundary. High
04 Watch the template. Treat thin "date/time formatting utility" packages with a postinstall hook and no repository as suspect — the campaign reuses this shell. High

Detected and classified by codelake Research · continuous npm ingestion · structural dropper filter · deterministic download-target extraction · campaign correlation and OSV cross-check. At the time of writing, absent from public advisory databases — a codelake first-catch within an already-confirmed campaign.

No working payload or reproduction is published here — the technique is described. The original artifact is preserved in the codelake archive and available to verified security researchers on request.