{"id":"MAL-2026-10106","summary":"Malicious code in rallycoding (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (789e913282e371428b19e015e619b6a3dd6c8d9938ad0e08a1f37d0248d28e0a)\npackage.json declares 'rallycoding' as its own dependency, resolved from an unauthenticated plain-HTTP URL http://pack.nppacks.com/npm/rallycoding rather than the npm registry. On `npm install`, npm fetches and installs that arbitrary tarball with no integrity pinning and no TLS, and executes any lifecycle scripts contained within it. Because the fetch is unpinned, unauthenticated, and off-registry, the operator of pack.nppacks.com — or any on-path attacker — controls exactly what code runs on the installer's machine at install time. The package additionally reuses the well-known 'rallycoding' identity from the JS teaching community and carries a comment stating 'Security Research Testing Purpose', consistent with a name-confusion lure. The harmful bytes are not shipped in this tarball but are fetched from an author-controlled host at install; regardless of what pack.nppacks.com currently serves, the mechanism is install-time execution of unpinned remote code from a non-registry HTTP source.\n","modified":"2026-07-09T23:47:00.341541063Z","published":"2026-07-09T22:57:12Z","database_specific":{"malicious-packages-origins":[{"sha256":"789e913282e371428b19e015e619b6a3dd6c8d9938ad0e08a1f37d0248d28e0a","source":"amazon-inspector","versions":["3.2.0"],"id":"IN-MAL-2026-009589","import_time":"2026-07-09T23:30:55.661223209Z","modified_time":"2026-07-09T22:57:12Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/rallycoding/v/3.2.0"}],"affected":[{"package":{"name":"rallycoding","ecosystem":"npm","purl":"pkg:npm/rallycoding"},"versions":["3.2.0"],"database_specific":{"indicators":{"evidence_files":[{"tlsh":"9df02b2cdf71aa1366c836f56d660107e2395f479418fd4836db2a1c1b8c0bf20f825d","path":"package.json","sha256":"b4a33963b34be4647dc214da61a8df65cdf4337116cbf8c86e7ca28e26a22309"},{"sha256":"f2fcebdb4f0e41365a39ca87a52fcc4e6abd5633fe6272e60d1386d26b90ef41","tlsh":"71a1935ab5e0159745aa22e5b3ce48b577bd80b3330df5a0b54cbf563f40c348a1aed1","path":"index.js"}],"package_integrity":[{"filename":"rallycoding-3.2.0.tgz","hashes":{"sha1":"322a5a6b0b8903e9d3c08600225655b7ae7a5c3f","sha512_sri":"sha512-CPZGfI+qv1iacUTlC3qbQwDXKqp/cg1EU8CInvPJyetkibRAHaiiadFyJyUSbxdGep3PUIHFn2Lpqqz5IBuouQ=="}}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/rallycoding/MAL-2026-10106.json","cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}