npm · Malicious package advisory
Malware@kyungseopk1m/holidays-kr
MAL-2026-4402
Malicious code in @kyungseopk1m/holidays-kr (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (f8538f74ec98ab5287a941ebac99e8624ba40d809edbc5b033da1150254d8215) On import/use, dist/cjs/index.js and dist/mjs/index.js call fetch() against the hardcoded endpoint https://kdata.kxxseop.workers.dev with data sourced from process.env. The destination is a Cloudflare Workers subdomain (workers.dev) under an arbitrary account name unrelated to any documented Korean holidays data publisher; the package's advertised purpose (a holidays-kr utility library) does not require posting environment variables to an external service. The combination of a hardcoded non-publisher endpoint and process.env data flow inside the main module bundles is the canonical exfiltration shape — installer process environment (which routinely contains tokens, API keys, and CI secrets) is shipped to a third-party endpoint on every consumer of the library.
Compromised versions (1)
- 2.0.2
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.