{"id":"MAL-2026-4402","summary":"Malicious code in @kyungseopk1m/holidays-kr (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (f8538f74ec98ab5287a941ebac99e8624ba40d809edbc5b033da1150254d8215)\nOn import/use, dist/cjs/index.js and dist/mjs/index.js call fetch() against the hardcoded endpoint https://kdata.kxxseop.workers.dev with data sourced from process.env. The destination is a Cloudflare Workers subdomain (workers.dev) under an arbitrary account name unrelated to any documented Korean holidays data publisher; the package's advertised purpose (a holidays-kr utility library) does not require posting environment variables to an external service. The combination of a hardcoded non-publisher endpoint and process.env data flow inside the main module bundles is the canonical exfiltration shape — installer process environment (which routinely contains tokens, API keys, and CI secrets) is shipped to a third-party endpoint on every consumer of the library.\n","modified":"2026-05-27T00:31:56.182689349Z","published":"2026-05-21T18:41:35Z","withdrawn":"2026-05-26T18:09:18Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-05-21T18:41:35Z","versions":["2.0.2"],"sha256":"f8538f74ec98ab5287a941ebac99e8624ba40d809edbc5b033da1150254d8215","source":"amazon-inspector","import_time":"2026-05-26T05:51:43.209484078Z","id":"IN-MAL-2026-003990"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@kyungseopk1m/holidays-kr/v/2.0.2"}],"affected":[{"package":{"name":"@kyungseopk1m/holidays-kr","ecosystem":"npm","purl":"pkg:npm/%40kyungseopk1m%2Fholidays-kr"},"versions":["2.0.2"],"database_specific":{"cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@kyungseopk1m/holidays-kr/MAL-2026-4402.json","indicators":{"evidence_files":[{"sha256":"6d4bb1f0d400a60c47be65ca9698fbbd65768bd461225bad734445fff43da4b1","tlsh":"f661b049dab3106002b7a1ed5a6ff405a726b0ab334cd895b7cc57043f8a57da2f23e5","path":"dist/cjs/index.js"},{"sha256":"50d2edbbf9214b7afdf4abb7f4d680284cdbeb099517e68014c5833c753902f0","tlsh":"dd51af49d9b3105002b7a1ed5a6bf415a326f0a7364cd895b7cc67003f8a579a2f33e6","path":"dist/mjs/index.js"}],"package_integrity":[{"hashes":{"sha512_sri":"sha512-V8M2GYYnqNFCx7ZA7J0SK14NnHQlknbDY9pV8QxtEgxXxwm+Oyf+rKPCxsZ5tNpPvI5BLrB1AGz7HCMBWMD3tg==","sha1":"10bef779a5c87b31d858e004278a4ff4631792e2"},"filename":"holidays-kr-2.0.2.tgz"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}