MAL-2026-10703

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@across-toolkit/eslint-config/MAL-2026-10703.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10703
Published
2026-07-16T12:44:36Z
Modified
2026-07-17T03:19:27.505816635Z
Summary
Malicious code in @across-toolkit/eslint-config (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (2c7f4d3a8ae39148bf9964aef6bfe64bc57393c27a28d8e953b30c92442c4b33)

@across-toolkit/eslint-config@99.0.1 runs a postinstall.js script on npm install that harvests installer-side secrets and posts them to a hardcoded third-party endpoint. The script reads ~/.aws/credentials, ~/.aws/config, ~/.ssh/idrsa, ~/.ssh/ided25519, ~/.npmrc, ~/.gitconfig, gcloud application-default credentials, /etc/environment, /proc/1/environ, and.env files; base64-encodes all of process.env (including NPMTOKEN, GITHUBTOKEN, and Actions OIDC tokens); queries the GCP metadata service at metadata.google.internal for OAuth tokens, project, service-account email, and scopes; queries the AWS IMDS at 169.254.169.254 for iam/security-credentials and iam/info; and invokes gcloud auth print-access-token and shell reconnaissance (hostname, whoami). The collected payload is POSTed via https.request to https://webhook.site/a585f4ec-20f7-4bd1-bac7-f3e53799dc5f. The package name and 99.0.1 version are shaped for dependency-confusion against an Across Protocol internal namespace.

Source: ossf-package-analysis (39b362e696810bfa8c5720ad97ba58d89920e87f909de311950b0939c731e7f7)

The OpenSSF Package Analysis project identified '@across-toolkit/eslint-config' @ 99.0.1 (npm) as malicious.

It is considered malicious because:

  • The package executes one or more commands associated with malicious behavior.
Database specific
{
    "malicious-packages-origins": [
        {
            "source": "amazon-inspector",
            "sha256": "2c7f4d3a8ae39148bf9964aef6bfe64bc57393c27a28d8e953b30c92442c4b33",
            "import_time": "2026-07-16T18:53:59.369792294Z",
            "modified_time": "2026-07-16T18:30:05Z",
            "id": "IN-MAL-2026-010691",
            "versions": [
                "99.0.1"
            ]
        },
        {
            "source": "amazon-inspector",
            "sha256": "606cd4c034500fc3b24db606e894a3ea120d0d3b26e7ee85dd28eddcb81add58",
            "import_time": "2026-07-16T18:53:59.752892579Z",
            "modified_time": "2026-07-16T18:33:52Z",
            "id": "IN-MAL-2026-010697",
            "versions": [
                "99.0.0"
            ]
        },
        {
            "sha256": "39b362e696810bfa8c5720ad97ba58d89920e87f909de311950b0939c731e7f7",
            "import_time": "2026-07-17T03:07:34.450613343Z",
            "modified_time": "2026-07-16T12:44:36Z",
            "source": "ossf-package-analysis",
            "versions": [
                "99.0.1"
            ]
        }
    ]
}
References
Credits

Affected packages

npm / @across-toolkit/eslint-config

Package

Name
@across-toolkit/eslint-config
View open source insights on deps.dev
Purl
pkg:npm/%40across-toolkit/eslint-config

Affected ranges

Affected versions

99.*
99.0.0
99.0.1

Database specific

cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
indicators
{
    "package_integrity": [
        {
            "filename": "eslint-config-99.0.1.tgz",
            "hashes": {
                "sha1": "3b54306f3c7faa5e598ef662f717b99f650589ff",
                "sha512_sri": "sha512-8bMpbXirBIL5aYiqjds0MaKmY/+Nbb20pDj9Bj/hP88yIkuW0W2fzWAz10U+ZkmcMHOs97QnrdrYTECsbF4zwA=="
            }
        }
    ],
    "evidence_files": [
        {
            "tlsh": "17a1b5d63ab239241693eb14e35f65015127b50b7d96f880fdad5c010f8e11ca2f35ee",
            "sha256": "2d48da55e72d0d1c076790b0f3d3fea2d433a0ef6e782590026dc0a7a5177a8e",
            "path": "postinstall.js"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@across-toolkit/eslint-config/MAL-2026-10703.json"