MAL-2026-5434

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ac_calendar_ts/MAL-2026-5434.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5434

Published

2026-06-09T17:16:58Z

Modified

2026-06-09T18:01:33.659643006Z

Summary

Malicious code in ac_calendar_ts (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (d5b3fd92d67510aef112ac70c9af79a59b924eef29e20b1b127ea4c720182c63)

On npm install, the package's canary.js postinstall script issues an HTTP GET to http://157.230.17.236/dc carrying the installer's os.hostname(), package name, version, a fixed nonce, and a phase identifier. The destination is a hardcoded bare IP over plain HTTP with no opt-in, no documented purpose, and no relationship to any declared package functionality. The package describes itself as a 'dependency-confusion canary,' which matches the pattern used to enumerate internal networks that resolved a public name — the installer's host identifier is exfiltrated to an external operator without consent. The version number (99.99.100) is also consistent with dependency-confusion targeting, in which an attacker publishes an artificially high version under a name expected to exist in a private registry.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-005009",
            "import_time": "2026-06-09T17:45:48.60345949Z",
            "sha256": "d5b3fd92d67510aef112ac70c9af79a59b924eef29e20b1b127ea4c720182c63",
            "source": "amazon-inspector",
            "modified_time": "2026-06-09T17:16:58Z",
            "versions": [
                "99.99.100"
            ]
        }
    ]
}

References

https://www.npmjs.com/package/ac_calendar_ts/v/99.99.100

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / ac_calendar_ts

Package

Name: ac_calendar_ts; View open source insights on deps.dev
Purl: pkg:npm/ac_calendar_ts

Affected ranges

Affected versions

99.*

99.99.100

Database specific

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "path": "canary.js",
            "sha256": "c9d0a97fa9c2089cd5aa3551f8988527f03c3e99c5bec79773e5e6b151a16409",
            "tlsh": "b00141eb04f1e23063f549cae0730d66b122c292331fbcb0788c09500f9ed8c42719d5"
        }
    ],
    "package_integrity": [
        {
            "filename": "ac_calendar_ts-99.99.100.tgz",
            "hashes": {
                "sha512_sri": "sha512-MQ6fhHq5KH15EOLc5QdouPe6f4XEy2aVy+iZw/U9a9vv6oXz/gKVJ5cNvewH8wevM+Q4oOUPq436tdSpciMbuw==",
                "sha1": "63506b6e9bab90c906432b99dd7c0e3bacfc3a47"
            }
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ac_calendar_ts/MAL-2026-5434.json"