MAL-2026-6547

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/react-editable-calendar/MAL-2026-6547.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6547

Published

2026-06-27T15:45:20Z

Modified

2026-06-27T16:16:37.489977062Z

Summary

Malicious code in react-editable-calendar (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (9b35fd7baa18320cbcaf6fbb6fbabb6139dd48264cd1f09d0461a8877c1f873f)

On npm install, the package's preinstall hook runs node dist/index.d.js. That file base64-decodes a payload which fetches JavaScript from https://everydaynodechecker-39143n.vercel.app/api/key?mem=master and passes the response to eval. The eval identifier is obfuscated by constructing it from character codes [101,118,97,104] and invoking it via globalThis[tag](text) rather than appearing as a literal in source. The result is arbitrary attacker-controlled JavaScript execution on the installer's machine at install time, from an anonymous third-party host. The package name mimics common React calendar component naming and ships empty author metadata, with a minimal dist tree whose only auto-executed code is the remote-eval dropper.

Database specific

{
    "malicious-packages-origins": [
        {
            "versions": [
                "0.1.7"
            ],
            "ranges": [
                {
                    "type": "SEMVER",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "modified_time": "2026-06-27T15:45:20Z",
            "sha256": "9b35fd7baa18320cbcaf6fbb6fbabb6139dd48264cd1f09d0461a8877c1f873f",
            "id": "IN-MAL-2026-007679",
            "source": "amazon-inspector",
            "import_time": "2026-06-27T15:57:48.894038811Z"
        }
    ]
}

References

https://www.npmjs.com/package/react-editable-calendar/v/0.1.7

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / react-editable-calendar

Package

Name: react-editable-calendar; View open source insights on deps.dev
Purl: pkg:npm/react-editable-calendar

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.1.7

Database specific

cwes

[
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    }
]

indicators

{
    "package_integrity": [
        {
            "filename": "react-editable-calendar-0.1.7.tgz",
            "hashes": {
                "sha512_sri": "sha512-xOreUhGKCBur7Lt59YLTRe809tQRqhd3UaUZ5NfvL/xZtdEiKDAXMYVihYd66B2sQl7jsB5tgoGsUA2B+Q5Wtg==",
                "sha1": "9d3ee693bafa569442dba5d5a52cb22c1634c01d"
            }
        }
    ],
    "evidence_files": [
        {
            "path": "dist/index.d.js",
            "tlsh": "c9f09e7913e520b0f11450cf5495a000b346e1f2396cc57af92fcd952696c4095f53e0",
            "sha256": "a62f4eba2412b724cd99f542a19cfbc7573937a904410f298109a56599118888"
        },
        {
            "path": "package.json",
            "tlsh": "64213a18d8a18d2325c966b2981b4946a37149870a147e1d73cf416c0f8d2dfc2ff6ef",
            "sha256": "02385d9a6f823afc1216d33e133b9356fe43a96648496edd8bff0a018a06cb2d"
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/react-editable-calendar/MAL-2026-6547.json"