MAL-2026-6566: Malicious code in date-uuid (npm)
The npm package 'date-uuid' versions 1.0.0 and 1.0.1 contains malicious code that executes an attacker-controlled script. Upon import, it reads the caller's README.md file to reconstruct a URL, fetches a script from that URL, saves it as a temporary .vbs file, and executes it. This behavior is unrelated to the package's advertised UUID functionality and uses obfuscation techniques to evade detection.
AI Analysis
Technical Summary
The 'date-uuid' npm package versions 1.0.0 and 1.0.1 is a malicious package that, when required or imported, automatically runs a function that reads specific lines from the README.md file in the current working directory. It uses these lines to reconstruct a base64-encoded URL, fetches a payload script from this URL, writes it to the operating system's temporary directory with a '.vbs' extension (obfuscated by splitting the extension string), and executes it via child_process.exec. This design decouples the malicious payload source from the package itself, enabling dynamic and deniable deployment of malicious code. The obfuscation and execution behavior indicate deliberate evasion and malicious intent.
Potential Impact
The package executes arbitrary code fetched from an attacker-controlled URL on the victim's system, which can lead to remote code execution and compromise of the host environment. Because the payload URL is sourced from the caller's README.md file, the attack can be staged or changed without republishing the package, increasing the risk of undetected ongoing compromise.
Mitigation Recommendations
No official patch or fix is currently available for this malicious package. The recommended mitigation is to avoid using the 'date-uuid' package versions 1.0.0 and 1.0.1. Remove these versions from your environment and replace them with trusted alternatives. Monitor your environment for any execution of unexpected scripts and verify the integrity of your dependencies. Since this is a malicious package, do not rely on vendor advisories for remediation; instead, remove the package and audit affected systems.
MAL-2026-6566: Malicious code in date-uuid (npm)
Description
The npm package 'date-uuid' versions 1.0.0 and 1.0.1 contains malicious code that executes an attacker-controlled script. Upon import, it reads the caller's README.md file to reconstruct a URL, fetches a script from that URL, saves it as a temporary .vbs file, and executes it. This behavior is unrelated to the package's advertised UUID functionality and uses obfuscation techniques to evade detection.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The 'date-uuid' npm package versions 1.0.0 and 1.0.1 is a malicious package that, when required or imported, automatically runs a function that reads specific lines from the README.md file in the current working directory. It uses these lines to reconstruct a base64-encoded URL, fetches a payload script from this URL, writes it to the operating system's temporary directory with a '.vbs' extension (obfuscated by splitting the extension string), and executes it via child_process.exec. This design decouples the malicious payload source from the package itself, enabling dynamic and deniable deployment of malicious code. The obfuscation and execution behavior indicate deliberate evasion and malicious intent.
Potential Impact
The package executes arbitrary code fetched from an attacker-controlled URL on the victim's system, which can lead to remote code execution and compromise of the host environment. Because the payload URL is sourced from the caller's README.md file, the attack can be staged or changed without republishing the package, increasing the risk of undetected ongoing compromise.
Mitigation Recommendations
No official patch or fix is currently available for this malicious package. The recommended mitigation is to avoid using the 'date-uuid' package versions 1.0.0 and 1.0.1. Remove these versions from your environment and replace them with trusted alternatives. Monitor your environment for any execution of unexpected scripts and verify the integrity of your dependencies. Since this is a malicious package, do not rely on vendor advisories for remediation; instead, remove the package and audit affected systems.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- MAL-2026-6566
- Osv Schema Version
- 1.7.4
- Aliases
- []
- Ecosystems
- ["npm"]
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a42ed7827e9c797199395cc
Added to database: 06/29/2026, 22:11:04 UTC
Last enriched: 06/29/2026, 22:41:23 UTC
Last updated: 06/30/2026, 00:47:01 UTC
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.