-= Per source details. Do not edit below this line.=-
Package declares postinstall: node lib/utils/index.js, which spawns a detached, stdio-suppressed Node child (spawn with detached:true, stdio:'ignore', child.unref()) that runs lib/utils/smtp-connection/index.js. That script uses axios to GET https://jsonkeeper.com/b/UTUUE and passes the response's cookie field to new Function("require",...)(require), executing whatever JavaScript the anonymous mutable paste currently returns with full Node privileges on the installer's machine. jsonkeeper.com is a public, anonymously-editable JSON paste service, so the executed code can be silently swapped by the operator at any time. The detach + stdio-ignore + unref pattern is designed to survive after npm install exits and to hide output from the installer. Separately, the package is named eslint-plus and its homepage/description reference React Training and eslint tooling, but main points at lib/nodemailer.js and the tarball ships a copied nodemailer source tree authored by 'Andris Reinman' — a namespace/impersonation cover for the dropper.
{
"malicious-packages-origins": [
{
"sha256": "6360adb10a187657f54fabe4bfa066299ac0bfde2e8d932ede94dd5ef702764e",
"id": "IN-MAL-2026-009324",
"import_time": "2026-07-09T17:19:23.955949626Z",
"modified_time": "2026-07-09T16:50:45Z",
"versions": [
"6.0.5"
],
"source": "amazon-inspector"
},
{
"sha256": "fbc3baf80e31e8027d7bb5b3fe5a873c5ff72d8344d39f8f01e191699a2310d7",
"id": "IN-MAL-2026-009325",
"import_time": "2026-07-09T17:19:24.075948899Z",
"modified_time": "2026-07-09T16:50:52Z",
"versions": [
"6.0.4"
],
"source": "amazon-inspector"
}
]
}{
"package_integrity": [
{
"filename": "eslint-plus-6.0.5.tgz",
"hashes": {
"sha512_sri": "sha512-qXTs/NYqDQhPtzHQ81rL7Oja60YfZMMyMCWXqOl7GfBipGVa+nBh3QYp+e1aCv9Va0n6g0bHR4q7jerxkPHz9g==",
"sha1": "ade5bbafd821909a086f377ab68ed84795035eb1"
}
}
],
"evidence_files": [
{
"tlsh": "d7c0806b37c8651e212610e6674e50147123c9334d46d4d9f3550bf665e1ec61a21eb5",
"sha256": "272e2630805ca7c17b8fa9fb97b72ccde362c001c0feed643ecd0cd9c9e8bb26",
"path": "lib/utils/smtp-connection/index.js"
},
{
"tlsh": "dae0686a23533738a034cbc1da30ce3b258b8020b365a0e0f00c406a2bc72c406ea8da",
"sha256": "9fb27c30f484650bb4a39f65a03fbccdc0b9b5f1cb84700ca73ee8893c66e06e",
"path": "lib/utils/index.js"
},
{
"tlsh": "1341ef15ce6a8ce3279525ee786c22826460d00fcd47b81db39d134c8f8e95f32b9a6d",
"sha256": "f0e9c766900ea6930e946fd1ae532fdcc3ba0a215ca3f687c0265069fa43bba8",
"path": "package.json"
}
]
}
[
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/eslint-plus/MAL-2026-10087.json"