react-editable-calendar @0.1.7
Vulnerability report · Last retrieved from osv.dev June 27, 2026 at 7:52 PM UTC
OSV ID
MAL-2026-6547
Ecosystem
npm
Summary
On npm install , the package's preinstall hook runs node dist/index.d.js . That file base64-decodes a payload which fetches JavaScript from https://everydaynodechecker-39143n.vercel.app/api/key?mem=master and passes the response to eval . The eval identifier is obfuscated by constructing it from character codes [101,118,97,104] and invoking it via globalThis[tag](text) rather than appearing as a literal in source. The result is arbitrary attacker-controlled JavaScript execution on the installer's machine at install time, from an anonymous third-party host. The package name mimics common React calendar component naming and ships empty author metadata, with a minimal dist tree whose only auto-executed code is the remote-eval dropper.
Source: amazon-inspector (9b35fd7baa18320cbcaf6fbb6fbabb6139dd48264cd1f09d0461a8877c1f873f)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.