{"id":"MAL-2026-6255","summary":"Malicious code in fork-angular-daterangepicker (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (d81ecc9a5b511f1d867597c3834e62c3c174209ba7718db45bf27af5d862d90f)\npackage.json declares a preinstall lifecycle hook (`\"preinstall\": \"node index.js\"`) that runs index.js on every `npm install`. index.js line 3 hardcodes `https://d8s1eti9io6kqja3sg5gsyqs4aqawhqxg.oast.live/npm-installed` and issues an HTTPS GET to that endpoint at install time. oast.live is an Interactsh / OAST collaborator service; the unique per-subdomain identifier lets whoever generated it confirm — out-of-band — which hosts installed the package, capturing the installer's source IP, DNS resolver, and install timestamp. The package self-describes as a \"PoC package for dependency confusion testing\" and its name impersonates the legitimate `angular-daterangepicker` package, indicating the beacon's purpose is to verify dependency-confusion hits inside private/internal build environments. Even when framed as a \"PoC\", running this on a real installer leaks network-position metadata to a third party without consent.\n\n## Source: ossf-package-analysis (1039c8f464314b48100d7e598c6f39b5a94100226f3c8639afe4c0d038df5dc1)\nThe OpenSSF Package Analysis project identified 'fork-angular-daterangepicker' @ 11.0.0 (npm) as malicious.\n\nIt is considered malicious because:\n\n- The package communicates with a domain associated with malicious activity.\n","modified":"2026-06-22T16:46:23.704313925Z","published":"2026-06-21T17:40:39Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-06-21T17:40:39Z","import_time":"2026-06-21T18:37:59.281626501Z","versions":["11.0.0"],"sha256":"1039c8f464314b48100d7e598c6f39b5a94100226f3c8639afe4c0d038df5dc1","source":"ossf-package-analysis"},{"modified_time":"2026-06-22T16:28:26Z","import_time":"2026-06-22T16:36:58.900777317Z","id":"IN-MAL-2026-007111","versions":["9.0.0"],"sha256":"16f3a4146bc0981e2d25e726bcfd2a0bddbdb3bdacc2e17399b492d5c76ad721","source":"amazon-inspector"},{"modified_time":"2026-06-22T16:28:30Z","import_time":"2026-06-22T16:36:59.015110627Z","id":"IN-MAL-2026-007113","versions":["11.0.0"],"sha256":"d81ecc9a5b511f1d867597c3834e62c3c174209ba7718db45bf27af5d862d90f","source":"amazon-inspector"},{"modified_time":"2026-06-22T16:28:27Z","import_time":"2026-06-22T16:36:58.967166242Z","id":"IN-MAL-2026-007112","versions":["10.0.0"],"sha256":"f770403cde15a543fd5cb50084d22fc1fa9e8f2b26e739d5a0de46006231c8bd","source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/fork-angular-daterangepicker/v/9.0.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/fork-angular-daterangepicker/v/11.0.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/fork-angular-daterangepicker/v/10.0.0"}],"affected":[{"package":{"name":"fork-angular-daterangepicker","ecosystem":"npm","purl":"pkg:npm/fork-angular-daterangepicker"},"versions":["11.0.0","9.0.0","10.0.0"],"database_specific":{"indicators":{"evidence_files":[{"path":"index.js","tlsh":"0bd0a7f501fa01301d7062c64002af6fb56f8c302e89b5e21a08127587d65f98eb7ad8","sha256":"c866c21375669ac31b96352b13dbc5c841e692008fc41894c58e8cf28a87a7a9"}],"package_integrity":[{"filename":"fork-angular-daterangepicker-9.0.0.tgz","hashes":{"sha1":"47d1d10a4585c41dd6eb86a8fefd92bdd9d06a36","sha512_sri":"sha512-KAEoVLtMpyfrUmzhDyKX0xw8AKbtH/paXPS1U3jy7n1aO8kGAABI3mJWpYtPRN8N1xx5z7KIfqAEH09Cwukybw=="}}]},"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/fork-angular-daterangepicker/MAL-2026-6255.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"},{"name":"OpenSSF: Package Analysis","contact":["https://github.com/ossf/package-analysis","https://openssf.slack.com/channels/package_analysis"],"type":"FINDER"}]}