Supply-chain threat intelligence

Incident detail

criticalnpm·credential theft·osv

Malicious code in react-editable-calendar (npm)

react-editable-calendar

Risk score

92

AI summary

Indexed incident for react-editable-calendar (npm).

Description

package.json declares a preinstall hook node src/utils/index.d.js, but the published tarball's files whitelist ships only dist/, README.md, and LICENSEsrc/utils/index.d.js is not present, so npm install will fail with ENOENT before any package code executes. No exfiltration, dropper, or attacker-controlled network destination is reachable in the shipped artifact. Separately, the published name react-editable-calendar does not match the library's documented identity (schedulaforge, exporting a SchedulaForge class) and the package contains no React-specific code; the chosen name appears positioned to attract developers searching for a React calendar component. Together these signals — a dangling preinstall pointer to a non-shipped script in a headless library, plus a name/identity mismatch — are atypical enough to warrant human review of the maintainer's intent, but the artifact as published does not harm installers.

The OpenSSF Package Analysis project identified 'react-editable-calendar' @ 0.1.7 (npm) as malicious.

It is considered malicious because:

  • The package executes one or more commands associated with malicious behavior.

Technical details

Affected versions

=0.1.7=0.1.0=0.1.1=0.1.2=0.1.4=0.1.3=0.1.6>=0

Indicators

  • affected version=0.1.775%
  • affected version=0.1.075%
  • affected version=0.1.175%
  • affected version=0.1.275%
  • affected version=0.1.475%
  • affected version=0.1.375%
  • affected version=0.1.675%
  • affected version>=075%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents