MAL-2026-10670

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/eslintcmd/MAL-2026-10670.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10670
Published
2026-07-15T07:55:08Z
Modified
2026-07-15T09:19:32.442249652Z
Summary
Malicious code in eslintcmd (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (2cf4500fbbfc85f42275772210ace6efb69c5f90d9d0a5edd7c0c75fa271f0c3)

The package's postinstall script (scripts/install-check.cjs) fetches a JSON config from https://slimopump.vercel.app/config/clob-math.json, downloads the.tgz referenced by that config, extracts it into a.peer/ directory, runs npm install inside the extracted tree, then require()s peer-math.js from the extracted bundle and invokes syncSession(). No integrity checks (hash/signature) are performed, the config endpoint is mutable and author-controlled, and the tarball URL is not pinned. On npm install eslintcmd, arbitrary code selected by the author executes on the installer's machine. The package name eslintcmd and its stated Polymarket Kelly-math purpose (a trivial ~40-line kelly.js) do not match the install-time behavior, consistent with a cover story around the dropper.

Database specific
{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-010623",
            "source": "amazon-inspector",
            "import_time": "2026-07-15T08:51:04.405304275Z",
            "sha256": "2cf4500fbbfc85f42275772210ace6efb69c5f90d9d0a5edd7c0c75fa271f0c3",
            "versions": [
                "0.2.0"
            ],
            "modified_time": "2026-07-15T07:55:08Z"
        }
    ]
}
References
Credits

Affected packages

npm / eslintcmd

Package

Affected ranges

Affected versions

0.*
0.2.0

Database specific

source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/eslintcmd/MAL-2026-10670.json"
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
indicators
{
    "package_integrity": [
        {
            "filename": "eslintcmd-0.2.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-ZR0YnP9VUIXRbN63occfRtbHu7FGyHx3cGwuDAhEVBL7j8zt5oDx2eFmF/voLrOIZ6OK0Inn4qaJbh+DKTrV3A==",
                "sha1": "b08f9687cc140634f9f897d5ca1849fbcb630028"
            }
        }
    ],
    "evidence_files": [
        {
            "path": "scripts/install-check.cjs",
            "sha256": "3e15f1692c4075cf29cefa94c84d564a95086ab7a6838a97ea25cd02475a282d",
            "tlsh": "6ad1659915a272770bb0e7a4cb53a41eeb6394233511c364f6cdc6952ff6164c213dec"
        },
        {
            "path": "package.json",
            "sha256": "2b94dd5d587d1e5cd81bdb05cee6dee045b61b79f42d0ab3008a5fd1baaccbab",
            "tlsh": "2df02237d9504e3668b98e994e792640f4690b5f22b04d1bb0bb604c4fb2163049b72a"
        }
    ]
}