VYPR

npm · Malicious package advisory

Malware

fork-angular-daterangepicker

MAL-2026-6255

Malicious code in fork-angular-daterangepicker (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (d81ecc9a5b511f1d867597c3834e62c3c174209ba7718db45bf27af5d862d90f)
package.json declares a preinstall lifecycle hook (`"preinstall": "node index.js"`) that runs index.js on every `npm install`. index.js line 3 hardcodes `https://d8s1eti9io6kqja3sg5gsyqs4aqawhqxg.oast.live/npm-installed` and issues an HTTPS GET to that endpoint at install time. oast.live is an Interactsh / OAST collaborator service; the unique per-subdomain identifier lets whoever generated it confirm — out-of-band — which hosts installed the package, capturing the installer's source IP, DNS resolver, and install timestamp. The package self-describes as a "PoC package for dependency confusion testing" and its name impersonates the legitimate `angular-daterangepicker` package, indicating the beacon's purpose is to verify dependency-confusion hits inside private/internal build environments. Even when framed as a "PoC", running this on a real installer leaks network-position metadata to a third party without consent.

## Source: ossf-package-analysis (1039c8f464314b48100d7e598c6f39b5a94100226f3c8639afe4c0d038df5dc1)
The OpenSSF Package Analysis project identified 'fork-angular-daterangepicker' @ 11.0.0 (npm) as malicious.

It is considered malicious because:

- The package communicates with a domain associated with malicious activity.

Compromised versions (3)

  • 11.0.0
  • 9.0.0
  • 10.0.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.