-= Per source details. Do not edit below this line.=-
package.json declares a preinstall hook node src/utils/index.d.js, but the published tarball's files whitelist ships only dist/, README.md, and LICENSE — src/utils/index.d.js is not present, so npm install will fail with ENOENT before any package code executes. No exfiltration, dropper, or attacker-controlled network destination is reachable in the shipped artifact. Separately, the published name react-editable-calendar does not match the library's documented identity (schedulaforge, exporting a SchedulaForge class) and the package contains no React-specific code; the chosen name appears positioned to attract developers searching for a React calendar component. Together these signals — a dangling preinstall pointer to a non-shipped script in a headless library, plus a name/identity mismatch — are atypical enough to warrant human review of the maintainer's intent, but the artifact as published does not harm installers.
The OpenSSF Package Analysis project identified 'react-editable-calendar' @ 0.1.7 (npm) as malicious.
It is considered malicious because:
{
"malicious-packages-origins": [
{
"id": "IN-MAL-2026-007679",
"sha256": "9b35fd7baa18320cbcaf6fbb6fbabb6139dd48264cd1f09d0461a8877c1f873f",
"modified_time": "2026-06-27T15:45:20Z",
"versions": [
"0.1.7"
],
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
}
]
}
],
"source": "amazon-inspector",
"import_time": "2026-06-27T15:57:48.894038811Z"
},
{
"sha256": "861d1a7aff6fd0e70699aedba04e28c0af286ad7c07d64a48bfbecdb54dbdcf2",
"versions": [
"0.1.7"
],
"import_time": "2026-06-29T03:16:41.22757879Z",
"source": "ossf-package-analysis",
"modified_time": "2026-06-27T09:55:36Z"
},
{
"modified_time": "2026-07-08T20:21:36Z",
"sha256": "539ff0daa4bfaec9dddd298118be9bfcc28ac756af9346b24a510eb8f8ca8ad2",
"versions": [
"0.1.0"
],
"import_time": "2026-07-08T20:32:38.357952071Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-008511"
},
{
"modified_time": "2026-07-08T20:21:19Z",
"sha256": "8af9e334c9bfe687721e4534fd862ee860360a2be87e4459bd1a0a4b9fc07890",
"versions": [
"0.1.1"
],
"import_time": "2026-07-08T20:32:38.09710438Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-008509"
},
{
"source": "amazon-inspector",
"sha256": "b847aa9dcb82d78d1bc8def9bbddffd59ed6cf6940a3b657af7cdb28e6bb65d4",
"import_time": "2026-07-08T20:32:38.601509498Z",
"modified_time": "2026-07-08T20:21:46Z",
"id": "IN-MAL-2026-008512",
"versions": [
"0.1.2"
]
},
{
"id": "IN-MAL-2026-008516",
"sha256": "e407046f5e2ea0547c1c0ee407d5d8537dde13b6f9a047d389616dd510ba356d",
"modified_time": "2026-07-08T20:22:17Z",
"versions": [
"0.1.4"
],
"source": "amazon-inspector",
"import_time": "2026-07-08T20:32:39.192222709Z"
},
{
"versions": [
"0.1.3"
],
"sha256": "ee65361bdf7076d8f4f5612b650c6188034f44bec1a017cdd010220aa5a7e7db",
"import_time": "2026-07-08T20:32:38.930554637Z",
"modified_time": "2026-07-08T20:21:59Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-008514"
},
{
"source": "amazon-inspector",
"sha256": "ef4c5725bd98fb80c8dc59c58f68627b6a69aa4c4ae16d3f0c70c011895144cb",
"import_time": "2026-07-08T23:27:58.642695821Z",
"modified_time": "2026-07-08T23:04:35Z",
"id": "IN-MAL-2026-009003",
"versions": [
"0.1.6"
]
}
]
}[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
{
"package_integrity": [
{
"filename": "react-editable-calendar-0.1.7.tgz",
"hashes": {
"sha1": "9d3ee693bafa569442dba5d5a52cb22c1634c01d",
"sha512_sri": "sha512-xOreUhGKCBur7Lt59YLTRe809tQRqhd3UaUZ5NfvL/xZtdEiKDAXMYVihYd66B2sQl7jsB5tgoGsUA2B+Q5Wtg=="
}
}
],
"evidence_files": [
{
"tlsh": "c9f09e7913e520b0f11450cf5495a000b346e1f2396cc57af92fcd952696c4095f53e0",
"sha256": "a62f4eba2412b724cd99f542a19cfbc7573937a904410f298109a56599118888",
"path": "dist/index.d.js"
},
{
"tlsh": "64213a18d8a18d2325c966b2981b4946a37149870a147e1d73cf416c0f8d2dfc2ff6ef",
"sha256": "02385d9a6f823afc1216d33e133b9356fe43a96648496edd8bff0a018a06cb2d",
"path": "package.json"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/react-editable-calendar/MAL-2026-6547.json"