MAL-2026-6301
Vulnerability from ossf_malicious_packages
Published
2026-06-23 15:21
Modified
2026-06-23 15:35
Summary
Malicious code in date-format-helper2 (npm)
Details
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (66c1775ce65ad47476ee1a0f1c7c5373e61466ec3eb4543cc658e67d2de22960)
Package is advertised as a React date-formatting utility, but its postinstall.js performs targeted credential harvesting on npm install. The script reads Coze workload identity environment variables (COZE_WORKLOAD_API_TOKEN, COZE_WORKLOAD_IDENTITY_CLIENT_ID, COZE_WORKLOAD_IDENTITY_CLIENT_SECRET, COZE_WORKLOAD_IDENTITY_TOKEN_ENDPOINT, COZE_PROJECT_SPACE_ID), uses them to mint OAuth access tokens via three grant types (client_credentials, token-exchange, and a JSON body variant) against the configured token endpoint, enumerates ~30 Coze API paths against api.coze.cn / integration.coze.cn / api.coze.com using the minted tokens, and POSTs the env values, the issued tokens, and the API responses over plaintext HTTP to http://2e3bkumw.requestrepo.com — a public request-capture sinkhole controlled by the attacker. The advertised date-helper functionality in index.js is unrelated cover for the install-time credential theft. An installer running npm install in CI or a developer environment with Coze credentials in scope would have their workload identity stolen and the attacker could impersonate that workload against Coze APIs.
CWE
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
Credits
{
"affected": [
{
"database_specific": {
"cwes": [
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
}
],
"indicators": {
"evidence_files": [
{
"path": "postinstall.js",
"sha256": "62eed992097a9541850b5481c81dd74cb6fa73bfaa901b50fd075fccdd6fbe21",
"tlsh": "ac8196f3bbbddc30366bb5b1334b20422e9bde5e0285bd50f184a4a4a20d3982373965"
}
],
"package_integrity": [
{
"filename": "date-format-helper2-1.0.3.tgz",
"hashes": {
"sha1": "595ace5abaf471804f56b3f798f06d9ab0a6e860",
"sha512_sri": "sha512-N+sOdUTNDpwn7jPdmAhdI5BxhXN8feSKcdfMrg4/ZqVvNH9qx02+U/XTCgR3MnrfDP+EwZEtTRBoLHiGGdnBWg=="
}
}
]
}
},
"package": {
"ecosystem": "npm",
"name": "date-format-helper2"
},
"versions": [
"1.0.3",
"1.0.7",
"1.0.6",
"1.0.2",
"1.0.4",
"1.0.5",
"1.0.0"
]
}
],
"credits": [
{
"contact": [
"inspector-research@amazon.com"
],
"name": "Amazon Inspector",
"type": "FINDER"
}
],
"database_specific": {
"malicious-packages-origins": [
{
"id": "IN-MAL-2026-007227",
"import_time": "2026-06-23T15:33:52.792961423Z",
"modified_time": "2026-06-23T15:21:06Z",
"sha256": "04a1e5571acbf5901d113811c19983d13f2dc0d532127445c2b16ed650d6b57c",
"source": "amazon-inspector",
"versions": [
"1.0.3"
]
},
{
"id": "IN-MAL-2026-007229",
"import_time": "2026-06-23T15:33:52.85396594Z",
"modified_time": "2026-06-23T15:21:08Z",
"sha256": "66c1775ce65ad47476ee1a0f1c7c5373e61466ec3eb4543cc658e67d2de22960",
"source": "amazon-inspector",
"versions": [
"1.0.7"
]
},
{
"id": "IN-MAL-2026-007230",
"import_time": "2026-06-23T15:33:52.924070985Z",
"modified_time": "2026-06-23T15:21:09Z",
"sha256": "78c0b87795b33cc06d2aa096cca532f61aa0f600ec888be07b7bcfc2ea1c6cad",
"source": "amazon-inspector",
"versions": [
"1.0.6"
]
},
{
"id": "IN-MAL-2026-007231",
"import_time": "2026-06-23T15:33:53.001988804Z",
"modified_time": "2026-06-23T15:21:10Z",
"sha256": "ac54599f5ebf64585175c7d4b7bd626097f248c04aca277737e457940bd46373",
"source": "amazon-inspector",
"versions": [
"1.0.2"
]
},
{
"id": "IN-MAL-2026-007228",
"import_time": "2026-06-23T15:33:52.823855715Z",
"modified_time": "2026-06-23T15:21:07Z",
"sha256": "bd77add56411d8c62f428c859ce630c4604640766bb7eb3b359426d782737d5b",
"source": "amazon-inspector",
"versions": [
"1.0.4"
]
},
{
"id": "IN-MAL-2026-007233",
"import_time": "2026-06-23T15:33:53.21488354Z",
"modified_time": "2026-06-23T15:21:16Z",
"sha256": "d8b44f47c55950a88fb3842670fa061aa6b9c08cb3f048e0f43bfc4be2789009",
"source": "amazon-inspector",
"versions": [
"1.0.5"
]
},
{
"id": "IN-MAL-2026-007232",
"import_time": "2026-06-23T15:33:53.112890562Z",
"modified_time": "2026-06-23T15:21:11Z",
"sha256": "f1d638ba3203a606c5e4dd2187aed12eae58a0e3144b6df61d6495182dd27654",
"source": "amazon-inspector",
"versions": [
"1.0.0"
]
}
]
},
"details": "\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (66c1775ce65ad47476ee1a0f1c7c5373e61466ec3eb4543cc658e67d2de22960)\nPackage is advertised as a React date-formatting utility, but its postinstall.js performs targeted credential harvesting on npm install. The script reads Coze workload identity environment variables (COZE_WORKLOAD_API_TOKEN, COZE_WORKLOAD_IDENTITY_CLIENT_ID, COZE_WORKLOAD_IDENTITY_CLIENT_SECRET, COZE_WORKLOAD_IDENTITY_TOKEN_ENDPOINT, COZE_PROJECT_SPACE_ID), uses them to mint OAuth access tokens via three grant types (client_credentials, token-exchange, and a JSON body variant) against the configured token endpoint, enumerates ~30 Coze API paths against api.coze.cn / integration.coze.cn / api.coze.com using the minted tokens, and POSTs the env values, the issued tokens, and the API responses over plaintext HTTP to http://2e3bkumw.requestrepo.com \u2014 a public request-capture sinkhole controlled by the attacker. The advertised date-helper functionality in index.js is unrelated cover for the install-time credential theft. An installer running `npm install` in CI or a developer environment with Coze credentials in scope would have their workload identity stolen and the attacker could impersonate that workload against Coze APIs.\n",
"id": "MAL-2026-6301",
"modified": "2026-06-23T15:35:53Z",
"published": "2026-06-23T15:21:06Z",
"references": [
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/date-format-helper2/v/1.0.3"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/date-format-helper2/v/1.0.7"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/date-format-helper2/v/1.0.6"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/date-format-helper2/v/1.0.2"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/date-format-helper2/v/1.0.4"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/date-format-helper2/v/1.0.5"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/date-format-helper2/v/1.0.0"
}
],
"schema_version": "1.7.4",
"summary": "Malicious code in date-format-helper2 (npm)"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…