npm · Malicious package advisory
Malwareac_calendar_ts
MAL-2026-5434
Malicious code in ac_calendar_ts (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (d5b3fd92d67510aef112ac70c9af79a59b924eef29e20b1b127ea4c720182c63) On `npm install`, the package's `canary.js` postinstall script issues an HTTP GET to http://157.230.17.236/dc carrying the installer's `os.hostname()`, package name, version, a fixed nonce, and a phase identifier. The destination is a hardcoded bare IP over plain HTTP with no opt-in, no documented purpose, and no relationship to any declared package functionality. The package describes itself as a 'dependency-confusion canary,' which matches the pattern used to enumerate internal networks that resolved a public name — the installer's host identifier is exfiltrated to an external operator without consent. The version number (99.99.100) is also consistent with dependency-confusion targeting, in which an attacker publishes an artificially high version under a name expected to exist in a private registry.
Compromised versions (1)
- 99.99.100
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.