easy-day-js@1.11.21

2KB immutable date time library alternative to Moment.js with the same modern API

latest version

1.11.21

first published

4 days ago

latest version published

4 days ago

licenses detected

MIT
>=0

View easy-day-js package health on Snyk (opens in a new tab)

Go back to all versions of this package

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the easy-day-js package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
C Embedded Malicious Code Affected versions of this package are vulnerable to Embedded Malicious Code. An attacker using the npm account `ehindero` hijacked the `@mastra` npm organization and, in a roughly 30–45 minute burst starting around 01:12 UTC, republished the entire `@mastra` catalog. The Mastra source code was left untouched. The only change was a single new dependency added to each package: `easy-day-js`, a typosquat of the popular `dayjs` date library. A day earlier, a related account (`sergey2016`) published a clean decoy, `easy-day-js@1.11.21`; the weaponized `1.11.22` landed at 01:01 UTC, eleven minutes before the Mastra sweep began. Because packages depended on `^1.11.21`, installs resolve to the malicious `1.11.22`. Its `postinstall` hook disables TLS verification, downloads a second stage from 23.254.164.92, runs it as a detached background process, then deletes itself. The recovered payload is a cross-platform infostealer targeting browser data and 160+ crypto-wallet extensions. How to fix Embedded Malicious Code? Avoid using all malicious instances of the `easy-day-js` package.	=1.11.21=1.11.22

Embedded Malicious Code

Affected versions of this package are vulnerable to Embedded Malicious Code. An attacker using the npm account ehindero hijacked the @mastra npm organization and, in a roughly 30–45 minute burst starting around 01:12 UTC, republished the entire @mastra catalog. The Mastra source code was left untouched. The only change was a single new dependency added to each package: easy-day-js, a typosquat of the popular dayjs date library. A day earlier, a related account (sergey2016) published a clean decoy, easy-day-js@1.11.21; the weaponized 1.11.22 landed at 01:01 UTC, eleven minutes before the Mastra sweep began. Because packages depended on ^1.11.21, installs resolve to the malicious 1.11.22. Its postinstall hook disables TLS verification, downloads a second stage from 23.254.164.92, runs it as a detached background process, then deletes itself. The recovered payload is a cross-platform infostealer targeting browser data and 160+ crypto-wallet extensions.

How to fix Embedded Malicious Code?

Avoid using all malicious instances of the easy-day-js package.

=1.11.21=1.11.22

Go back to all versions of this package