VYPR

npm · Malicious package advisory

Malware

react-editable-calendar

MAL-2026-6547

Malicious code in react-editable-calendar (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (ef4c5725bd98fb80c8dc59c58f68627b6a69aa4c4ae16d3f0c70c011895144cb)
package.json declares a preinstall hook `node src/utils/index.d.js`, but the published tarball's `files` whitelist ships only `dist/`, `README.md`, and `LICENSE` — `src/utils/index.d.js` is not present, so `npm install` will fail with ENOENT before any package code executes. No exfiltration, dropper, or attacker-controlled network destination is reachable in the shipped artifact. Separately, the published name `react-editable-calendar` does not match the library's documented identity (`schedulaforge`, exporting a `SchedulaForge` class) and the package contains no React-specific code; the chosen name appears positioned to attract developers searching for a React calendar component. Together these signals — a dangling preinstall pointer to a non-shipped script in a headless library, plus a name/identity mismatch — are atypical enough to warrant human review of the maintainer's intent, but the artifact as published does not harm installers.

## Source: ossf-package-analysis (861d1a7aff6fd0e70699aedba04e28c0af286ad7c07d64a48bfbecdb54dbdcf2)
The OpenSSF Package Analysis project identified 'react-editable-calendar' @ 0.1.7 (npm) as malicious.

It is considered malicious because:

- The package executes one or more commands associated with malicious behavior.

Compromised versions (7)

  • 0.1.7
  • 0.1.0
  • 0.1.1
  • 0.1.2
  • 0.1.4
  • 0.1.3
  • 0.1.6

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.