MAL-2026-4402

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@kyungseopk1m/holidays-kr/MAL-2026-4402.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4402

Withdrawn

2026-05-26T18:09:18Z

Published

2026-05-21T18:41:35Z

Modified

2026-05-27T00:31:56.182689349Z

Summary

Malicious code in @kyungseopk1m/holidays-kr (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (f8538f74ec98ab5287a941ebac99e8624ba40d809edbc5b033da1150254d8215)

On import/use, dist/cjs/index.js and dist/mjs/index.js call fetch() against the hardcoded endpoint https://kdata.kxxseop.workers.dev with data sourced from process.env. The destination is a Cloudflare Workers subdomain (workers.dev) under an arbitrary account name unrelated to any documented Korean holidays data publisher; the package's advertised purpose (a holidays-kr utility library) does not require posting environment variables to an external service. The combination of a hardcoded non-publisher endpoint and process.env data flow inside the main module bundles is the canonical exfiltration shape — installer process environment (which routinely contains tokens, API keys, and CI secrets) is shipped to a third-party endpoint on every consumer of the library.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "f8538f74ec98ab5287a941ebac99e8624ba40d809edbc5b033da1150254d8215",
            "import_time": "2026-05-26T05:51:43.209484078Z",
            "source": "amazon-inspector",
            "modified_time": "2026-05-21T18:41:35Z",
            "versions": [
                "2.0.2"
            ],
            "id": "IN-MAL-2026-003990"
        }
    ]
}

References

https://www.npmjs.com/package/@kyungseopk1m/holidays-kr/v/2.0.2

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / @kyungseopk1m/holidays-kr

Package

Name: @kyungseopk1m/holidays-kr; View open source insights on deps.dev
Purl: pkg:npm/%40kyungseopk1m%2Fholidays-kr

Affected ranges

Affected versions

2.*

2.0.2

Database specific

indicators

{
    "package_integrity": [
        {
            "filename": "holidays-kr-2.0.2.tgz",
            "hashes": {
                "sha512_sri": "sha512-V8M2GYYnqNFCx7ZA7J0SK14NnHQlknbDY9pV8QxtEgxXxwm+Oyf+rKPCxsZ5tNpPvI5BLrB1AGz7HCMBWMD3tg==",
                "sha1": "10bef779a5c87b31d858e004278a4ff4631792e2"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "6d4bb1f0d400a60c47be65ca9698fbbd65768bd461225bad734445fff43da4b1",
            "tlsh": "f661b049dab3106002b7a1ed5a6ff405a726b0ab334cd895b7cc57043f8a57da2f23e5",
            "path": "dist/cjs/index.js"
        },
        {
            "sha256": "50d2edbbf9214b7afdf4abb7f4d680284cdbeb099517e68014c5833c753902f0",
            "tlsh": "dd51af49d9b3105002b7a1ed5a6bf415a326f0a7364cd895b7cc67003f8a579a2f33e6",
            "path": "dist/mjs/index.js"
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@kyungseopk1m/holidays-kr/MAL-2026-4402.json"

cwes

[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]