{"id":"MAL-2026-6547","summary":"Malicious code in react-editable-calendar (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (9b35fd7baa18320cbcaf6fbb6fbabb6139dd48264cd1f09d0461a8877c1f873f)\nOn `npm install`, the package's preinstall hook runs `node dist/index.d.js`. That file base64-decodes a payload which fetches JavaScript from `https://everydaynodechecker-39143n.vercel.app/api/key?mem=master` and passes the response to `eval`. The `eval` identifier is obfuscated by constructing it from character codes [101,118,97,104] and invoking it via `globalThis[tag](text)` rather than appearing as a literal in source. The result is arbitrary attacker-controlled JavaScript execution on the installer's machine at install time, from an anonymous third-party host. The package name mimics common React calendar component naming and ships empty author metadata, with a minimal dist tree whose only auto-executed code is the remote-eval dropper.\n","modified":"2026-06-27T16:16:37.489977062Z","published":"2026-06-27T15:45:20Z","database_specific":{"malicious-packages-origins":[{"versions":["0.1.7"],"sha256":"9b35fd7baa18320cbcaf6fbb6fbabb6139dd48264cd1f09d0461a8877c1f873f","modified_time":"2026-06-27T15:45:20Z","id":"IN-MAL-2026-007679","import_time":"2026-06-27T15:57:48.894038811Z","source":"amazon-inspector","ranges":[{"events":[{"introduced":"0"}],"type":"SEMVER"}]}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/react-editable-calendar/v/0.1.7"}],"affected":[{"package":{"name":"react-editable-calendar","ecosystem":"npm","purl":"pkg:npm/react-editable-calendar"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}],"versions":["0.1.7"],"database_specific":{"cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}],"indicators":{"evidence_files":[{"tlsh":"c9f09e7913e520b0f11450cf5495a000b346e1f2396cc57af92fcd952696c4095f53e0","sha256":"a62f4eba2412b724cd99f542a19cfbc7573937a904410f298109a56599118888","path":"dist/index.d.js"},{"tlsh":"64213a18d8a18d2325c966b2981b4946a37149870a147e1d73cf416c0f8d2dfc2ff6ef","sha256":"02385d9a6f823afc1216d33e133b9356fe43a96648496edd8bff0a018a06cb2d","path":"package.json"}],"package_integrity":[{"hashes":{"sha1":"9d3ee693bafa569442dba5d5a52cb22c1634c01d","sha512_sri":"sha512-xOreUhGKCBur7Lt59YLTRe809tQRqhd3UaUZ5NfvL/xZtdEiKDAXMYVihYd66B2sQl7jsB5tgoGsUA2B+Q5Wtg=="},"filename":"react-editable-calendar-0.1.7.tgz"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/react-editable-calendar/MAL-2026-6547.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}