MAL-2026-10087

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/eslint-plus/MAL-2026-10087.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10087
Published
2026-07-09T16:50:45Z
Modified
2026-07-09T17:31:54.035289641Z
Summary
Malicious code in eslint-plus (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (fbc3baf80e31e8027d7bb5b3fe5a873c5ff72d8344d39f8f01e191699a2310d7)

Package declares postinstall: node lib/utils/index.js, which spawns a detached, stdio-suppressed Node child (spawn with detached:true, stdio:'ignore', child.unref()) that runs lib/utils/smtp-connection/index.js. That script uses axios to GET https://jsonkeeper.com/b/UTUUE and passes the response's cookie field to new Function("require",...)(require), executing whatever JavaScript the anonymous mutable paste currently returns with full Node privileges on the installer's machine. jsonkeeper.com is a public, anonymously-editable JSON paste service, so the executed code can be silently swapped by the operator at any time. The detach + stdio-ignore + unref pattern is designed to survive after npm install exits and to hide output from the installer. Separately, the package is named eslint-plus and its homepage/description reference React Training and eslint tooling, but main points at lib/nodemailer.js and the tarball ships a copied nodemailer source tree authored by 'Andris Reinman' — a namespace/impersonation cover for the dropper.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "6360adb10a187657f54fabe4bfa066299ac0bfde2e8d932ede94dd5ef702764e",
            "id": "IN-MAL-2026-009324",
            "import_time": "2026-07-09T17:19:23.955949626Z",
            "modified_time": "2026-07-09T16:50:45Z",
            "versions": [
                "6.0.5"
            ],
            "source": "amazon-inspector"
        },
        {
            "sha256": "fbc3baf80e31e8027d7bb5b3fe5a873c5ff72d8344d39f8f01e191699a2310d7",
            "id": "IN-MAL-2026-009325",
            "import_time": "2026-07-09T17:19:24.075948899Z",
            "modified_time": "2026-07-09T16:50:52Z",
            "versions": [
                "6.0.4"
            ],
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / eslint-plus

Package

Affected ranges

Affected versions

6.*
6.0.4
6.0.5

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "eslint-plus-6.0.5.tgz",
            "hashes": {
                "sha512_sri": "sha512-qXTs/NYqDQhPtzHQ81rL7Oja60YfZMMyMCWXqOl7GfBipGVa+nBh3QYp+e1aCv9Va0n6g0bHR4q7jerxkPHz9g==",
                "sha1": "ade5bbafd821909a086f377ab68ed84795035eb1"
            }
        }
    ],
    "evidence_files": [
        {
            "tlsh": "d7c0806b37c8651e212610e6674e50147123c9334d46d4d9f3550bf665e1ec61a21eb5",
            "sha256": "272e2630805ca7c17b8fa9fb97b72ccde362c001c0feed643ecd0cd9c9e8bb26",
            "path": "lib/utils/smtp-connection/index.js"
        },
        {
            "tlsh": "dae0686a23533738a034cbc1da30ce3b258b8020b365a0e0f00c406a2bc72c406ea8da",
            "sha256": "9fb27c30f484650bb4a39f65a03fbccdc0b9b5f1cb84700ca73ee8893c66e06e",
            "path": "lib/utils/index.js"
        },
        {
            "tlsh": "1341ef15ce6a8ce3279525ee786c22826460d00fcd47b81db39d134c8f8e95f32b9a6d",
            "sha256": "f0e9c766900ea6930e946fd1ae532fdcc3ba0a215ca3f687c0265069fa43bba8",
            "path": "package.json"
        }
    ]
}
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/eslint-plus/MAL-2026-10087.json"