Which versions of ac_calendar_ts are malicious?

The following npm versions of ac_calendar_ts are flagged malicious: 99.99.100. Treat any of these as compromised.

How do I remediate ac_calendar_ts if I installed it?

Remove ac_calendar_ts from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is ac_calendar_ts part of a known attack campaign?

Yes — ac_calendar_ts is associated with the IN-MAL-2026-005009 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect ac_calendar_ts in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking ac_calendar_ts and packages like it before any post-install script runs.

Malicious package

ac_calendar_tsnpm

Malicious code in ac_calendar_ts (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5434

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall ac_calendar_ts

What this malware does

On npm install, the package's canary.js postinstall script issues an HTTP GET to http://157.230.17.236/dc carrying the installer's os.hostname(), package name, version, a fixed nonce, and a phase identifier. The destination is a hardcoded bare IP over plain HTTP with no opt-in, no documented purpose, and no relationship to any declared package functionality. The package describes itself as a 'dependency-confusion canary,' which matches the pattern used to enumerate internal networks that resolved a public name — the installer's host identifier is exfiltrated to an external operator without consent. The version number (99.99.100) is also consistent with dependency-confusion targeting, in which an attacker publishes an artificially high version under a name expected to exist in a private registry.

Malicious versions

1 flagged

99.99.100

Indicators of compromise (SHA-256)

d5b3fd92d67510aef112ac70c9af79a59b924eef29e20b1b127ea4c720182c63

Frequently asked questions

No. ac_calendar_ts on npm has been identified as a malicious package (version 99.99.100 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005009

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection