Which versions of easy-day-js are malicious?

The following npm versions of easy-day-js are flagged malicious: 1.11.22. Treat any of these as compromised.

How do I remediate easy-day-js if I installed it?

Remove easy-day-js from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is easy-day-js part of a known attack campaign?

Yes — easy-day-js is associated with the IN-MAL-2026-006871 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect easy-day-js in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking easy-day-js and packages like it before any post-install script runs.

Malicious package

easy-day-jsnpm

Malicious code in easy-day-js (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5979

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall easy-day-js

What this malware does

Package name 'easy-day-js' impersonates the popular 'dayjs' library, copying dayjs's author ('iamkun'), homepage (https://day.js.org), repository URL, description, and version number (1.11.22 is a real dayjs release), and bundles dayjs.min.js as main to look legitimate. package.json adds a postinstall hook 'node setup.cjs --no-warnings' that does not exist in real dayjs. setup.cjs is heavily obfuscated with an obfuscator.io-style rotated base64 string array (a0_0x23bf) and decoder (a0_0x1a24) hiding API names ('node:child_process', 'node:fs', 'node:crypto', 'spawn', 'writeFileSync'). At install time it sets NODE_TLS_REJECT_UNAUTHORIZED='0' to disable TLS verification, writes the install directory path to os.tmpdir()/.pkg_history and an encoded buffer to os.tmpdir()/.pkg_logs (staging metadata for the second stage), fetches a JavaScript payload from https://23.254.164.92:8000/update/49890878, writes it to a random hex-named file in os.tmpdir(), spawns it detached with the installer's node interpreter (process.execPath, stdio:'ignore', unref()), and then unlinks setup.cjs to cover its tracks. Classic install-time remote-code-execution dropper combined with brand impersonation of dayjs.

Malicious versions

1 flagged

1.11.22

Indicators of compromise (SHA-256)

8602a5a154b50bb6351900a08fa45d7814c0f152e4379dcae53ccfa0b83db891

Frequently asked questions

No. easy-day-js on npm has been identified as a malicious package (version 1.11.22 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006871

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection