MAL-2026-10106

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/rallycoding/MAL-2026-10106.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10106
Published
2026-07-09T22:57:12Z
Modified
2026-07-09T23:47:00.341541063Z
Summary
Malicious code in rallycoding (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (789e913282e371428b19e015e619b6a3dd6c8d9938ad0e08a1f37d0248d28e0a)

package.json declares 'rallycoding' as its own dependency, resolved from an unauthenticated plain-HTTP URL http://pack.nppacks.com/npm/rallycoding rather than the npm registry. On npm install, npm fetches and installs that arbitrary tarball with no integrity pinning and no TLS, and executes any lifecycle scripts contained within it. Because the fetch is unpinned, unauthenticated, and off-registry, the operator of pack.nppacks.com — or any on-path attacker — controls exactly what code runs on the installer's machine at install time. The package additionally reuses the well-known 'rallycoding' identity from the JS teaching community and carries a comment stating 'Security Research Testing Purpose', consistent with a name-confusion lure. The harmful bytes are not shipped in this tarball but are fetched from an author-controlled host at install; regardless of what pack.nppacks.com currently serves, the mechanism is install-time execution of unpinned remote code from a non-registry HTTP source.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "789e913282e371428b19e015e619b6a3dd6c8d9938ad0e08a1f37d0248d28e0a",
            "id": "IN-MAL-2026-009589",
            "modified_time": "2026-07-09T22:57:12Z",
            "versions": [
                "3.2.0"
            ],
            "import_time": "2026-07-09T23:30:55.661223209Z",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / rallycoding

Package

Affected ranges

Affected versions

3.*
3.2.0

Database specific

indicators
{
    "evidence_files": [
        {
            "tlsh": "9df02b2cdf71aa1366c836f56d660107e2395f479418fd4836db2a1c1b8c0bf20f825d",
            "sha256": "b4a33963b34be4647dc214da61a8df65cdf4337116cbf8c86e7ca28e26a22309",
            "path": "package.json"
        },
        {
            "sha256": "f2fcebdb4f0e41365a39ca87a52fcc4e6abd5633fe6272e60d1386d26b90ef41",
            "tlsh": "71a1935ab5e0159745aa22e5b3ce48b577bd80b3330df5a0b54cbf563f40c348a1aed1",
            "path": "index.js"
        }
    ],
    "package_integrity": [
        {
            "filename": "rallycoding-3.2.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-CPZGfI+qv1iacUTlC3qbQwDXKqp/cg1EU8CInvPJyetkibRAHaiiadFyJyUSbxdGep3PUIHFn2Lpqqz5IBuouQ==",
                "sha1": "322a5a6b0b8903e9d3c08600225655b7ae7a5c3f"
            }
        }
    ]
}
cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/rallycoding/MAL-2026-10106.json"