VDB
KO

MAL-2026-10106

Malicious code in rallycoding (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (789e913282e371428b19e015e619b6a3dd6c8d9938ad0e08a1f37d0248d28e0a) package.json declares 'rallycoding' as its own dependency, resolved from an unauthenticated plain-HTTP URL http://pack.nppacks.com/npm/rallycoding rather than the npm registry. On `npm install`, npm fetches and installs that arbitrary tarball with no integrity pinning and no TLS, and executes any lifecycle scripts contained within it. Because the fetch is unpinned, unauthenticated, and off-registry, the operator of pack.nppacks.com — or any on-path attacker — controls exactly what code runs on the installer's machine at install time. The package additionally reuses the well-known 'rallycoding' identity from the JS teaching community and carries a comment stating 'Security Research Testing Purpose', consistent with a name-confusion lure. The harmful bytes are not shipped in this tarball but are fetched from an author-controlled host at install; regardless of what pack.nppacks.com currently serves, the mechanism is install-time execution of unpinned remote code from a non-registry HTTP source.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / rallycoding

No fixed version published yet for rallycoding (npm). Pin to a known-safe version or switch to an alternative.

References