MAL-2026-6255

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/fork-angular-daterangepicker/MAL-2026-6255.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6255

Published

2026-06-21T17:40:39Z

Modified

2026-06-22T16:46:23.704313925Z

Summary

Malicious code in fork-angular-daterangepicker (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (d81ecc9a5b511f1d867597c3834e62c3c174209ba7718db45bf27af5d862d90f)

package.json declares a preinstall lifecycle hook ("preinstall": "node index.js") that runs index.js on every npm install. index.js line 3 hardcodes https://d8s1eti9io6kqja3sg5gsyqs4aqawhqxg.oast.live/npm-installed and issues an HTTPS GET to that endpoint at install time. oast.live is an Interactsh / OAST collaborator service; the unique per-subdomain identifier lets whoever generated it confirm — out-of-band — which hosts installed the package, capturing the installer's source IP, DNS resolver, and install timestamp. The package self-describes as a "PoC package for dependency confusion testing" and its name impersonates the legitimate angular-daterangepicker package, indicating the beacon's purpose is to verify dependency-confusion hits inside private/internal build environments. Even when framed as a "PoC", running this on a real installer leaks network-position metadata to a third party without consent.

Source: ossf-package-analysis (1039c8f464314b48100d7e598c6f39b5a94100226f3c8639afe4c0d038df5dc1)

The OpenSSF Package Analysis project identified 'fork-angular-daterangepicker' @ 11.0.0 (npm) as malicious.

It is considered malicious because:

The package communicates with a domain associated with malicious activity.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "1039c8f464314b48100d7e598c6f39b5a94100226f3c8639afe4c0d038df5dc1",
            "import_time": "2026-06-21T18:37:59.281626501Z",
            "source": "ossf-package-analysis",
            "modified_time": "2026-06-21T17:40:39Z",
            "versions": [
                "11.0.0"
            ]
        },
        {
            "sha256": "16f3a4146bc0981e2d25e726bcfd2a0bddbdb3bdacc2e17399b492d5c76ad721",
            "import_time": "2026-06-22T16:36:58.900777317Z",
            "source": "amazon-inspector",
            "modified_time": "2026-06-22T16:28:26Z",
            "versions": [
                "9.0.0"
            ],
            "id": "IN-MAL-2026-007111"
        },
        {
            "sha256": "d81ecc9a5b511f1d867597c3834e62c3c174209ba7718db45bf27af5d862d90f",
            "import_time": "2026-06-22T16:36:59.015110627Z",
            "source": "amazon-inspector",
            "modified_time": "2026-06-22T16:28:30Z",
            "versions": [
                "11.0.0"
            ],
            "id": "IN-MAL-2026-007113"
        },
        {
            "sha256": "f770403cde15a543fd5cb50084d22fc1fa9e8f2b26e739d5a0de46006231c8bd",
            "import_time": "2026-06-22T16:36:58.967166242Z",
            "source": "amazon-inspector",
            "modified_time": "2026-06-22T16:28:27Z",
            "versions": [
                "10.0.0"
            ],
            "id": "IN-MAL-2026-007112"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com
- OpenSSF: Package Analysis - FINDER
- - https://github.com/ossf/package-analysis
  - https://openssf.slack.com/channels/package_analysis

Affected packages

npm / fork-angular-daterangepicker

Package

Name: fork-angular-daterangepicker; View open source insights on deps.dev
Purl: pkg:npm/fork-angular-daterangepicker

Affected ranges

Affected versions

9.*

9.0.0

10.*

10.0.0

11.*

11.0.0

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/fork-angular-daterangepicker/MAL-2026-6255.json"

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "sha256": "c866c21375669ac31b96352b13dbc5c841e692008fc41894c58e8cf28a87a7a9",
            "tlsh": "0bd0a7f501fa01301d7062c64002af6fb56f8c302e89b5e21a08127587d65f98eb7ad8",
            "path": "index.js"
        }
    ],
    "package_integrity": [
        {
            "filename": "fork-angular-daterangepicker-9.0.0.tgz",
            "hashes": {
                "sha1": "47d1d10a4585c41dd6eb86a8fefd92bdd9d06a36",
                "sha512_sri": "sha512-KAEoVLtMpyfrUmzhDyKX0xw8AKbtH/paXPS1U3jy7n1aO8kGAABI3mJWpYtPRN8N1xx5z7KIfqAEH09Cwukybw=="
            }
        }
    ]
}