-= Per source details. Do not edit below this line.=-
package.json declares a preinstall lifecycle script that runs curl against the hardcoded bare IP http://109.71.252.153:8080/ at npm install time, sending the installer's OS (uname -s), username (whoami), working directory (pwd), and hostname as query-string parameters. The script fires automatically on npm install with no user interaction. The package ships only README and package.json — the declared main: index.js is absent and no ESLint functionality is provided — so the package's sole effect on the installer is the reconnaissance beacon. The name impersonates the ESLint plugin namespace (eslint-* / Angular / React), consistent with a typosquat/dependency-confusion lure aimed at developers searching for an ESLint plugin.
{
"malicious-packages-origins": [
{
"source": "amazon-inspector",
"sha256": "a9a6248527167bc121cdf2c1a874adbc9d433dbe4be2aed160e8abb3eb2ca63b",
"id": "IN-MAL-2026-010325",
"import_time": "2026-07-13T21:49:33.902807188Z",
"modified_time": "2026-07-13T21:32:29Z",
"versions": [
"110.0.1"
]
}
]
}"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/eslint-angular-react/MAL-2026-10498.json"
[
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
}
]
{
"package_integrity": [
{
"filename": "eslint-angular-react-110.0.1.tgz",
"hashes": {
"sha512_sri": "sha512-ec7b6VUNZYZ6sCj8SEryGOr/wtJRp3UCUyUWJK8sDe23Cp27w9okTj/Qgr/EnEKGmZMpKIFKCTtoxtOyciqXnA==",
"sha1": "fa12385bb628b2bd808087a5198b8c8e016930f2"
}
}
],
"evidence_files": [
{
"path": "package.json",
"sha256": "6d9e944633b97f034ecdb8346590fca216670376437fc84cac909c5588450232",
"tlsh": "ebe0c038195095231dc60a211c3930db75407f6f01417c04d3eb693cc0df1a308fa31d"
}
]
}