Supply-chain threat intelligence
Risk score
92
Indexed incident for react-editable-calendar (npm).
package.json declares a preinstall hook node src/utils/index.d.js, but the published tarball's files whitelist ships only dist/, README.md, and LICENSE — src/utils/index.d.js is not present, so npm install will fail with ENOENT before any package code executes. No exfiltration, dropper, or attacker-controlled network destination is reachable in the shipped artifact. Separately, the published name react-editable-calendar does not match the library's documented identity (schedulaforge, exporting a SchedulaForge class) and the package contains no React-specific code; the chosen name appears positioned to attract developers searching for a React calendar component. Together these signals — a dangling preinstall pointer to a non-shipped script in a headless library, plus a name/identity mismatch — are atypical enough to warrant human review of the maintainer's intent, but the artifact as published does not harm installers.
The OpenSSF Package Analysis project identified 'react-editable-calendar' @ 0.1.7 (npm) as malicious.
It is considered malicious because:
Affected versions
Indicators
Timeline