npm · Malicious package advisory
Malwarereact-editable-calendar
MAL-2026-6547
Malicious code in react-editable-calendar (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (ef4c5725bd98fb80c8dc59c58f68627b6a69aa4c4ae16d3f0c70c011895144cb) package.json declares a preinstall hook `node src/utils/index.d.js`, but the published tarball's `files` whitelist ships only `dist/`, `README.md`, and `LICENSE` — `src/utils/index.d.js` is not present, so `npm install` will fail with ENOENT before any package code executes. No exfiltration, dropper, or attacker-controlled network destination is reachable in the shipped artifact. Separately, the published name `react-editable-calendar` does not match the library's documented identity (`schedulaforge`, exporting a `SchedulaForge` class) and the package contains no React-specific code; the chosen name appears positioned to attract developers searching for a React calendar component. Together these signals — a dangling preinstall pointer to a non-shipped script in a headless library, plus a name/identity mismatch — are atypical enough to warrant human review of the maintainer's intent, but the artifact as published does not harm installers. ## Source: ossf-package-analysis (861d1a7aff6fd0e70699aedba04e28c0af286ad7c07d64a48bfbecdb54dbdcf2) The OpenSSF Package Analysis project identified 'react-editable-calendar' @ 0.1.7 (npm) as malicious. It is considered malicious because: - The package executes one or more commands associated with malicious behavior.
Compromised versions (7)
- 0.1.7
- 0.1.0
- 0.1.1
- 0.1.2
- 0.1.4
- 0.1.3
- 0.1.6
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.