MAL-2026-10498

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/eslint-angular-react/MAL-2026-10498.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10498
Published
2026-07-13T21:32:29Z
Modified
2026-07-13T22:01:56.072882885Z
Summary
Malicious code in eslint-angular-react (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (a9a6248527167bc121cdf2c1a874adbc9d433dbe4be2aed160e8abb3eb2ca63b)

package.json declares a preinstall lifecycle script that runs curl against the hardcoded bare IP http://109.71.252.153:8080/ at npm install time, sending the installer's OS (uname -s), username (whoami), working directory (pwd), and hostname as query-string parameters. The script fires automatically on npm install with no user interaction. The package ships only README and package.json — the declared main: index.js is absent and no ESLint functionality is provided — so the package's sole effect on the installer is the reconnaissance beacon. The name impersonates the ESLint plugin namespace (eslint-* / Angular / React), consistent with a typosquat/dependency-confusion lure aimed at developers searching for an ESLint plugin.

Database specific
{
    "malicious-packages-origins": [
        {
            "source": "amazon-inspector",
            "sha256": "a9a6248527167bc121cdf2c1a874adbc9d433dbe4be2aed160e8abb3eb2ca63b",
            "id": "IN-MAL-2026-010325",
            "import_time": "2026-07-13T21:49:33.902807188Z",
            "modified_time": "2026-07-13T21:32:29Z",
            "versions": [
                "110.0.1"
            ]
        }
    ]
}
References
Credits

Affected packages

npm / eslint-angular-react

Package

Name
eslint-angular-react
View open source insights on deps.dev
Purl
pkg:npm/eslint-angular-react

Affected ranges

Affected versions

110.*
110.0.1

Database specific

source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/eslint-angular-react/MAL-2026-10498.json"
cwes
[
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    }
]
indicators
{
    "package_integrity": [
        {
            "filename": "eslint-angular-react-110.0.1.tgz",
            "hashes": {
                "sha512_sri": "sha512-ec7b6VUNZYZ6sCj8SEryGOr/wtJRp3UCUyUWJK8sDe23Cp27w9okTj/Qgr/EnEKGmZMpKIFKCTtoxtOyciqXnA==",
                "sha1": "fa12385bb628b2bd808087a5198b8c8e016930f2"
            }
        }
    ],
    "evidence_files": [
        {
            "path": "package.json",
            "sha256": "6d9e944633b97f034ecdb8346590fca216670376437fc84cac909c5588450232",
            "tlsh": "ebe0c038195095231dc60a211c3930db75407f6f01417c04d3eb693cc0df1a308fa31d"
        }
    ]
}