registry  /  react-editable-calendar  /  0.1.7

react-editable-calendar@0.1.7

Smart, editable calendar scheduling engine - headless, timezone-aware, with recurrence, conflict resolution, and drag-resize semantics

OSV Malicious Advisory

scanned 2h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-6547 confirms this npm version as malicious. On `npm install`, the package's preinstall hook runs `node dist/index.d.js`. That file base64-decodes a payload which fetches JavaScript from `https://everydaynodechecker-39143n.vercel.app/api/key?mem=master` and passes the response to `eval`...

Advisory
MAL-2026-6547
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in react-editable-calendar (npm)
Details
On `npm install`, the package's preinstall hook runs `node dist/index.d.js`. That file base64-decodes a payload which fetches JavaScript from `https://everydaynodechecker-39143n.vercel.app/api/key?mem=master` and passes the response to `eval`. The `eval` identifier is obfuscated by constructing it from character codes [101,118,97,104] and invoking it via `globalThis[tag](text)` rather than appearing as a literal in source. The result is arbitrary attacker-controlled JavaScript execution on the installer's machine at install time, from an anonymous third-party host. The package name mimics common React calendar component naming and ships empty author metadata, with a minimal dist tree whose only auto-executed code is the remote-eval dropper. ## Source: ossf-package-analysis (861d1a7aff6fd0e70699aedba04e28c0af286ad7c07d64a48bfbecdb54dbdcf2) The OpenSSF Package Analysis project identified 'react-editable-calendar' @ 0.1.7 (npm) as malicious. It is considered malicious because: - The package executes one or more commands associated with malicious behavior.
Decision reason
OpenSSF Malicious Packages via OSV confirms react-editable-calendar@0.1.7 as malicious (MAL-2026-6547): Malicious code in react-editable-calendar (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory