{"id":"MAL-2026-5434","summary":"Malicious code in ac_calendar_ts (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (d5b3fd92d67510aef112ac70c9af79a59b924eef29e20b1b127ea4c720182c63)\nOn `npm install`, the package's `canary.js` postinstall script issues an HTTP GET to http://157.230.17.236/dc carrying the installer's `os.hostname()`, package name, version, a fixed nonce, and a phase identifier. The destination is a hardcoded bare IP over plain HTTP with no opt-in, no documented purpose, and no relationship to any declared package functionality. The package describes itself as a 'dependency-confusion canary,' which matches the pattern used to enumerate internal networks that resolved a public name — the installer's host identifier is exfiltrated to an external operator without consent. The version number (99.99.100) is also consistent with dependency-confusion targeting, in which an attacker publishes an artificially high version under a name expected to exist in a private registry.\n","modified":"2026-06-09T18:01:33.659643006Z","published":"2026-06-09T17:16:58Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-005009","modified_time":"2026-06-09T17:16:58Z","import_time":"2026-06-09T17:45:48.60345949Z","sha256":"d5b3fd92d67510aef112ac70c9af79a59b924eef29e20b1b127ea4c720182c63","source":"amazon-inspector","versions":["99.99.100"]}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/ac_calendar_ts/v/99.99.100"}],"affected":[{"package":{"name":"ac_calendar_ts","ecosystem":"npm","purl":"pkg:npm/ac_calendar_ts"},"versions":["99.99.100"],"database_specific":{"indicators":{"package_integrity":[{"filename":"ac_calendar_ts-99.99.100.tgz","hashes":{"sha512_sri":"sha512-MQ6fhHq5KH15EOLc5QdouPe6f4XEy2aVy+iZw/U9a9vv6oXz/gKVJ5cNvewH8wevM+Q4oOUPq436tdSpciMbuw==","sha1":"63506b6e9bab90c906432b99dd7c0e3bacfc3a47"}}],"evidence_files":[{"path":"canary.js","sha256":"c9d0a97fa9c2089cd5aa3551f8988527f03c3e99c5bec79773e5e6b151a16409","tlsh":"b00141eb04f1e23063f549cae0730d66b122c292331fbcb0788c09500f9ed8c42719d5"}]},"cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ac_calendar_ts/MAL-2026-5434.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}