npm

rallycoding @3.2.0

Vulnerability report · Last retrieved from osv.dev July 10, 2026 at 1:30 AM UTC

Malicious

OSV ID

MAL-2026-10106

Ecosystem

npm

Summary

package.json declares 'rallycoding' as its own dependency, resolved from an unauthenticated plain-HTTP URL http://pack.nppacks.com/npm/rallycoding rather than the npm registry. On npm install , npm fetches and installs that arbitrary tarball with no integrity pinning and no TLS, and executes any lifecycle scripts contained within it. Because the fetch is unpinned, unauthenticated, and off-registry, the operator of pack.nppacks.com — or any on-path attacker — controls exactly what code runs on the installer's machine at install time. The package additionally reuses the well-known 'rallycoding' identity from the JS teaching community and carries a comment stating 'Security Research Testing Purpose', consistent with a name-confusion lure. The harmful bytes are not shipped in this tarball but are fetched from an author-controlled host at install; regardless of what pack.nppacks.com currently serves, the mechanism is install-time execution of unpinned remote code from a non-registry HTTP source.

Source: amazon-inspector (789e913282e371428b19e015e619b6a3dd6c8d9938ad0e08a1f37d0248d28e0a)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.