OSV Malicious Advisory
scanned 2h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-6547 confirms this npm version as malicious. package.json declares a preinstall hook `node src/utils/index.d.js`, but the published tarball's `files` whitelist ships only `dist/`, `README.md`, and `LICENSE` — `src/utils/index.d.js` is not present, so `npm install` will fail with ENOENT before any package code executes. No exfiltration, dropper, or attacker-controlled network destination is reachable in the shipped artifact...
Advisory
MAL-2026-6547
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in react-editable-calendar (npm)
Details
package.json declares a preinstall hook `node src/utils/index.d.js`, but the published tarball's `files` whitelist ships only `dist/`, `README.md`, and `LICENSE` — `src/utils/index.d.js` is not present, so `npm install` will fail with ENOENT before any package code executes. No exfiltration, dropper, or attacker-controlled network destination is reachable in the shipped artifact. Separately, the published name `react-editable-calendar` does not match the library's documented identity (`schedulaforge`, exporting a `SchedulaForge` class) and the package contains no React-specific code; the chosen name appears positioned to attract developers searching for a React calendar component. Together these signals — a dangling preinstall pointer to a non-shipped script in a headless library, plus a name/identity mismatch — are atypical enough to warrant human review of the maintainer's intent, but the artifact as published does not harm installers.
## Source: ossf-package-analysis (861d1a7aff6fd0e70699aedba04e28c0af286ad7c07d64a48bfbecdb54dbdcf2) The OpenSSF Package Analysis project identified 'react-editable-calendar' @ 0.1.7 (npm) as malicious.
It is considered malicious because:
- The package executes one or more commands associated with malicious behavior.
Decision reason
OpenSSF Malicious Packages via OSV confirms react-editable-calendar@0.1.6 as malicious (MAL-2026-6547): Malicious code in react-editable-calendar (npm)
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory