Embedded Malicious Code Affecting @vietmoney/react-big-calendar package, versions =0.26.2

Q: How to fix?

Avoid using all malicious instances of the @vietmoney/react-big-calendar package.

Threat Intelligence

Trending on 𝕏

Attacked

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk IDSNYK-JS-VIETMONEYREACTBIGCALENDAR-14723319
published29 Dec 2025
disclosed29 Dec 2025
creditCharlie Eriksen

Report a new vulnerability Found a mistake?

Introduced: 29 Dec 2025

Malicious CWE-506 (opens in a new tab)

How to fix?

Avoid using all malicious instances of the @vietmoney/react-big-calendar package.

Overview

Affected versions of this package are vulnerable to Embedded Malicious Code. This package contains malicious code associated with the Shai-hulud supply chain attacks. The malware functions as a self-replicating worm that spreads via npm dependencies to compromise developer environments; However, at the time of writing, there are no indications of major spread or infections.

Malicious Behavior

The obfuscated payload targets and steals sensitive information, including API tokens, environment variables, and private repository credentials.
The malware also creates a GitHub repository under compromised accounts with a random name, with the description: "Goldox-T3chs: Only Happy Girl"

References

Detection Report

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
High
Integrity (VI)
High
Availability (VA)
High

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None