OSV Malicious Advisory
scanned 3h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10106 confirms this npm version as malicious. package.json declares 'rallycoding' as its own dependency, resolved from an unauthenticated plain-HTTP URL http://pack.nppacks.com/npm/rallycoding rather than the npm registry. On `npm install`, npm fetches and installs that arbitrary tarball with no integrity pinning and no TLS, and executes any lifecycle scripts contained within it...
Advisory
MAL-2026-10106
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in rallycoding (npm)
Details
package.json declares 'rallycoding' as its own dependency, resolved from an unauthenticated plain-HTTP URL http://pack.nppacks.com/npm/rallycoding rather than the npm registry. On `npm install`, npm fetches and installs that arbitrary tarball with no integrity pinning and no TLS, and executes any lifecycle scripts contained within it. Because the fetch is unpinned, unauthenticated, and off-registry, the operator of pack.nppacks.com — or any on-path attacker — controls exactly what code runs on the installer's machine at install time. The package additionally reuses the well-known 'rallycoding' identity from the JS teaching community and carries a comment stating 'Security Research Testing Purpose', consistent with a name-confusion lure. The harmful bytes are not shipped in this tarball but are fetched from an author-controlled host at install; regardless of what pack.nppacks.com currently serves, the mechanism is install-time execution of unpinned remote code from a non-registry HTTP source.
Decision reason
OpenSSF Malicious Packages via OSV confirms rallycoding@3.2.0 as malicious (MAL-2026-10106): Malicious code in rallycoding (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory