ac_calendar_ts @99.99.100
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 4:30 AM UTC
OSV ID
MAL-2026-5434
Ecosystem
npm
Summary
On npm install , the package's canary.js postinstall script issues an HTTP GET to http://157.230.17.236/dc carrying the installer's os.hostname() , package name, version, a fixed nonce, and a phase identifier. The destination is a hardcoded bare IP over plain HTTP with no opt-in, no documented purpose, and no relationship to any declared package functionality. The package describes itself as a 'dependency-confusion canary,' which matches the pattern used to enumerate internal networks that resolved a public name — the installer's host identifier is exfiltrated to an external operator without consent. The version number (99.99.100) is also consistent with dependency-confusion targeting, in which an attacker publishes an artificially high version under a name expected to exist in a private registry.
Source: amazon-inspector (d5b3fd92d67510aef112ac70c9af79a59b924eef29e20b1b127ea4c720182c63)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.