malware
npm
@lazyutil/dater
discovered 2026-06-23Campaign member, masquerades as a datetime/timezone library (decoy code cloned from timezonecomplete). Malicious version 0.8.1 used postinstall 'node lib/tzinit.js'; versions 0.9.2-0.9.4 ship a 262934-byte obfuscated payload (dist/lib/tzinit.cjs) auto-executed via postinstall 'node ./dist/lib/tzinit.cjs'. The 0.9.4 payload blob is BYTE-IDENTICAL (SHA256 68b4fe54a4c05cd0115535ebd4aa8d3cccb03ea5a685f440314814ba1b89e875) to @glitchpad/throttler 2.2.3 primer.cjs, confirming the actor reuses identical compiled blobs in at least one case rather than always re-seeding polymorphic builds. Latest 0.9.5 scrubbed to empty scripts. Publisher [email protected]; author [email protected] / github.com/lazyutil. Created 2026-06-04T07:33:05Z.
Threat types
credential_stealer data_exfiltration persistence typosquat
Malicious versions
- 0.8.1
- 0.9.2
- 0.9.3
- 0.9.4