-= Per source details. Do not edit below this line.=-
The package's postinstall script (scripts/install-check.cjs) fetches a JSON config from https://slimopump.vercel.app/config/clob-math.json, downloads the.tgz referenced by that config, extracts it into a.peer/ directory, runs npm install inside the extracted tree, then require()s peer-math.js from the extracted bundle and invokes syncSession(). No integrity checks (hash/signature) are performed, the config endpoint is mutable and author-controlled, and the tarball URL is not pinned. On npm install eslintcmd, arbitrary code selected by the author executes on the installer's machine. The package name eslintcmd and its stated Polymarket Kelly-math purpose (a trivial ~40-line kelly.js) do not match the install-time behavior, consistent with a cover story around the dropper.
{
"malicious-packages-origins": [
{
"id": "IN-MAL-2026-010623",
"source": "amazon-inspector",
"import_time": "2026-07-15T08:51:04.405304275Z",
"sha256": "2cf4500fbbfc85f42275772210ace6efb69c5f90d9d0a5edd7c0c75fa271f0c3",
"versions": [
"0.2.0"
],
"modified_time": "2026-07-15T07:55:08Z"
}
]
}"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/eslintcmd/MAL-2026-10670.json"
[
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
}
]
{
"package_integrity": [
{
"filename": "eslintcmd-0.2.0.tgz",
"hashes": {
"sha512_sri": "sha512-ZR0YnP9VUIXRbN63occfRtbHu7FGyHx3cGwuDAhEVBL7j8zt5oDx2eFmF/voLrOIZ6OK0Inn4qaJbh+DKTrV3A==",
"sha1": "b08f9687cc140634f9f897d5ca1849fbcb630028"
}
}
],
"evidence_files": [
{
"path": "scripts/install-check.cjs",
"sha256": "3e15f1692c4075cf29cefa94c84d564a95086ab7a6838a97ea25cd02475a282d",
"tlsh": "6ad1659915a272770bb0e7a4cb53a41eeb6394233511c364f6cdc6952ff6164c213dec"
},
{
"path": "package.json",
"sha256": "2b94dd5d587d1e5cd81bdb05cee6dee045b61b79f42d0ab3008a5fd1baaccbab",
"tlsh": "2df02237d9504e3668b98e994e792640f4690b5f22b04d1bb0bb604c4fb2163049b72a"
}
]
}