datefmt-helpernpm
Malicious code in datefmt-helper (npm) Remove it immediately and rotate any exposed credentials.
What this malware does
The npm package datefmt-helper is a supply-chain dropper disguised as a benign date-formatting utility (its description reads "dates formatting utility with locale support"). The package ships no source repository and places its real behaviour in an install script.
A postinstall lifecycle hook (postinstall: node postinstall.js) executes automatically on npm install, before the package is ever imported. The install script uses HTTP / curl / wget primitives to download a second-stage payload from the hardcoded external IP 115.190.124.243, then executes it via a Node child process — the classic download-and-execute pattern. Any developer workstation or CI runner that installs the package (directly or transitively) hands arbitrary code execution to the operator of that endpoint.
Detected and classified independently by codelake Research from the live npm feed on 2026-07-02; at the time of reporting the package was not present in OSV or GHSA (a first-catch).
Malicious versions
Detection & response playbook
Malicious packageFind it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for datefmt-helper (2 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging datefmt-helper across your stack and pipelines.
If you installed it — respond
Remove datefmt-helper from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound activity or persistence.
Did it already run?
If datefmt-helper was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks datefmt-helper before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.
Frequently asked questions
References
Credits
- codelake Research · finder
Detect & block this
O3 blocks datefmt-helper-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the malicious outbound activity and severs the channel.