MAL-2026-6308
Vulnerability from ossf_malicious_packages
@lazyutil/dater (malicious versions 0.8.1, 0.9.2, 0.9.3, and 0.9.4, published by lazyutil-78muyg@wshu.net) is a trojanized npm package belonging to the wshu.net credential-stealer campaign. The campaign published trojanized look-alike utility packages across 12+ scopes whose publisher accounts all follow the pattern -<6 random chars>@wshu.net, with every scope created on June 4, 2026 in a ~40-minute burst. This package masquerades as a date library and ships real, working utility code so it passes a glance, while bundling a much larger malicious payload (lib/tzinit.js in the earliest variant, dist/lib/tzinit.cjs thereafter). package.json declares a postinstall hook (e.g. "node ./dist/lib/tzinit.cjs") that runs the payload automatically on npm install. The payload is heavily obfuscated with javascript-obfuscator (hex-named identifiers, a while (!![]) array-rotation IIFE, base64+RC4 string decoding, control-flow flattening, and runtime-decrypted module resolution to stay out of the static module graph). At runtime it is a Chromium browser credential stealer: it reads Chromium Cookies and Login Data and decrypts saved passwords protected by AES-256-GCM (the v10/v11 app-bound key schemes), then exfiltrates them over HTTPS using a spoofed Mozilla/5.0 user agent. Consistent with the campaign, the dangerous versions sit in mid-ranges while the latest tag (0.9.5) points to a scrubbed release with an empty scripts block. The 0.9.4 payload blob is byte-identical to @glitchpad/throttler@2.2.3 from the same campaign. Malicious payload dist/lib/tzinit.cjs (0.9.4) SHA-256: 68b4fe54a4c05cd0115535ebd4aa8d3cccb03ea5a685f440314814ba1b89e875.
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (362ed214c96b3a091355472cb7d03ca7dcb1c3b1c36daede92d4e7a04027cb8a)
@lazyutil/dater is a trojanized repackage of the legitimate timezonecomplete library. Its package.json declares postinstall: node./dist/lib/tzinit.cjs, which runs automatically on npm install. tzinit.cjs is a 263 KB obfuscator.io-protected file (string-array RC4/XOR + control-flow flattening) that uses AES-256-GCM with a hardcoded key/IV/AAD to decrypt an embedded URL and host, then performs an HTTP GET to fetch a binary, writes it to disk, chmods it executable, and spawns it via process.execPath or sh -c. The dropper is platform-gated for win32/darwin/linux, retries with backoff, and re-execs the package's process. None of this is required for a date/timezone library and the legitimate upstream has neither a postinstall nor a tzinit.cjs. Trojanization signals: package description is copied verbatim from timezonecomplete, the repository field still points at the upstream author's git URL (github.com/rogierschouten/timezonecomplete), homepage points at a placeholder github.com/lazyutil, and author is a fresh ProtonMail identity unrelated to the original maintainer. Installing this package gives an attacker arbitrary code execution on the installer's machine.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
{
"affected": [
{
"database_specific": {
"cwes": [
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
}
],
"indicators": {
"evidence_files": [
{
"path": "dist/lib/tzinit.cjs",
"sha256": "68b4fe54a4c05cd0115535ebd4aa8d3cccb03ea5a685f440314814ba1b89e875",
"tlsh": "6e445151a3c9bc8012479f767b5ef2e9fa290aac745408afd404bd54bbfa507dbe0630"
},
{
"path": "package.json",
"sha256": "8b768658e4e12b0dd77170bd4d14e7ebc16927db68bdddcc954d8544f889bb31",
"tlsh": "67218c3cc4354d633ee87ad4ac6a7845677148074e547d1432cb04ac8b8e2eb52bf2ee"
}
],
"package_integrity": [
{
"filename": "dater-0.9.2.tgz",
"hashes": {
"sha1": "2f7e922ccb07ac36f1c7205d7a7cee133a1fb98f",
"sha512_sri": "sha512-WW55u7N8p6FY4r0DWyRcGWebN3XxsjdHOOLfiO4FTNrdyv99yxMoPtJ8LaXsAxobWsBSzMQOufEvSmENqo4KwA=="
}
}
]
}
},
"package": {
"ecosystem": "npm",
"name": "@lazyutil/dater"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "SEMVER"
}
],
"versions": [
"0.9.2",
"0.8.1",
"0.9.4",
"0.9.5",
"0.9.3"
]
}
],
"credits": [
{
"contact": [
"inspector-research@amazon.com"
],
"name": "Amazon Inspector",
"type": "FINDER"
},
{
"contact": [
"https://safedep.io"
],
"name": "SafeDep",
"type": "FINDER"
}
],
"database_specific": {
"malicious-packages-origins": [
{
"id": "IN-MAL-2026-007295",
"import_time": "2026-06-23T16:54:15.639200311Z",
"modified_time": "2026-06-23T16:22:40Z",
"sha256": "1e60ea16a2304b00c24feeb56b14387e7b137e4e832eebeef61536bbdc30ee64",
"source": "amazon-inspector",
"versions": [
"0.9.2"
]
},
{
"id": "IN-MAL-2026-007298",
"import_time": "2026-06-23T16:54:15.940425918Z",
"modified_time": "2026-06-23T16:22:43Z",
"sha256": "3085d5883cb7184bb57024ffe4bb1c5760ea3b120ce4b4dee03c874b3cbc62d4",
"source": "amazon-inspector",
"versions": [
"0.8.1"
]
},
{
"id": "IN-MAL-2026-007293",
"import_time": "2026-06-23T16:54:15.517199005Z",
"modified_time": "2026-06-23T16:22:37Z",
"sha256": "362ed214c96b3a091355472cb7d03ca7dcb1c3b1c36daede92d4e7a04027cb8a",
"source": "amazon-inspector",
"versions": [
"0.9.4"
]
},
{
"id": "IN-MAL-2026-007294",
"import_time": "2026-06-23T16:54:15.586697918Z",
"modified_time": "2026-06-23T16:22:38Z",
"sha256": "af4babebb1ad40ecc1260f2036da3052003e645d7edfdcc5d03bd6105748659d",
"source": "amazon-inspector",
"versions": [
"0.9.5"
]
},
{
"id": "IN-MAL-2026-007297",
"import_time": "2026-06-23T16:54:15.828809301Z",
"modified_time": "2026-06-23T16:22:43Z",
"sha256": "c55953491fa63e65d06f8db1855ea4ae815244b2c0b7590f609ca0b460928181",
"source": "amazon-inspector",
"versions": [
"0.9.3"
]
}
]
},
"details": "@lazyutil/dater (malicious versions 0.8.1, 0.9.2, 0.9.3, and 0.9.4, published by lazyutil-78muyg@wshu.net) is a trojanized npm package belonging to the wshu.net credential-stealer campaign. The campaign published trojanized look-alike utility packages across 12+ scopes whose publisher accounts all follow the pattern \u003cscope\u003e-\u003c6 random chars\u003e@wshu.net, with every scope created on June 4, 2026 in a ~40-minute burst. This package masquerades as a date library and ships real, working utility code so it passes a glance, while bundling a much larger malicious payload (lib/tzinit.js in the earliest variant, dist/lib/tzinit.cjs thereafter). package.json declares a postinstall hook (e.g. \"node ./dist/lib/tzinit.cjs\") that runs the payload automatically on npm install. The payload is heavily obfuscated with javascript-obfuscator (hex-named identifiers, a while (!![]) array-rotation IIFE, base64+RC4 string decoding, control-flow flattening, and runtime-decrypted module resolution to stay out of the static module graph). At runtime it is a Chromium browser credential stealer: it reads Chromium Cookies and Login Data and decrypts saved passwords protected by AES-256-GCM (the v10/v11 app-bound key schemes), then exfiltrates them over HTTPS using a spoofed Mozilla/5.0 user agent. Consistent with the campaign, the dangerous versions sit in mid-ranges while the latest tag (0.9.5) points to a scrubbed release with an empty scripts block. The 0.9.4 payload blob is byte-identical to @glitchpad/throttler@2.2.3 from the same campaign. Malicious payload dist/lib/tzinit.cjs (0.9.4) SHA-256: 68b4fe54a4c05cd0115535ebd4aa8d3cccb03ea5a685f440314814ba1b89e875.\n\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (362ed214c96b3a091355472cb7d03ca7dcb1c3b1c36daede92d4e7a04027cb8a)\n@lazyutil/dater is a trojanized repackage of the legitimate `timezonecomplete` library. Its package.json declares `postinstall: node./dist/lib/tzinit.cjs`, which runs automatically on `npm install`. tzinit.cjs is a 263 KB obfuscator.io-protected file (string-array RC4/XOR + control-flow flattening) that uses AES-256-GCM with a hardcoded key/IV/AAD to decrypt an embedded URL and host, then performs an HTTP GET to fetch a binary, writes it to disk, chmods it executable, and spawns it via `process.execPath` or `sh -c`. The dropper is platform-gated for win32/darwin/linux, retries with backoff, and re-execs the package\u0027s process. None of this is required for a date/timezone library and the legitimate upstream has neither a postinstall nor a tzinit.cjs. Trojanization signals: package description is copied verbatim from `timezonecomplete`, the `repository` field still points at the upstream author\u0027s git URL (`github.com/rogierschouten/timezonecomplete`), `homepage` points at a placeholder `github.com/lazyutil`, and `author` is a fresh ProtonMail identity unrelated to the original maintainer. Installing this package gives an attacker arbitrary code execution on the installer\u0027s machine.\n",
"id": "MAL-2026-6308",
"modified": "2026-06-23T19:34:37Z",
"published": "2026-06-22T12:00:00Z",
"references": [
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/@lazyutil/dater/v/0.9.2"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/@lazyutil/dater/v/0.8.1"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/@lazyutil/dater/v/0.9.4"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/@lazyutil/dater/v/0.9.5"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/@lazyutil/dater/v/0.9.3"
},
{
"type": "REPORT",
"url": "https://safedep.io/wshu-net-npm-credential-stealer-campaign/"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/@lazyutil/dater"
}
],
"schema_version": "1.7.4",
"summary": "Malicious code in @lazyutil/dater (npm)"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.