VYPR

npm · Malicious package advisory

Malware

ac_calendar_ts

MAL-2026-5434

Malicious code in ac_calendar_ts (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (d5b3fd92d67510aef112ac70c9af79a59b924eef29e20b1b127ea4c720182c63)
On `npm install`, the package's `canary.js` postinstall script issues an HTTP GET to http://157.230.17.236/dc carrying the installer's `os.hostname()`, package name, version, a fixed nonce, and a phase identifier. The destination is a hardcoded bare IP over plain HTTP with no opt-in, no documented purpose, and no relationship to any declared package functionality. The package describes itself as a 'dependency-confusion canary,' which matches the pattern used to enumerate internal networks that resolved a public name — the installer's host identifier is exfiltrated to an external operator without consent. The version number (99.99.100) is also consistent with dependency-confusion targeting, in which an attacker publishes an artificially high version under a name expected to exist in a private registry.

Compromised versions (1)

  • 99.99.100

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.