MAL-2026-4299

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@gbrlxvii/ts-project-lint/MAL-2026-4299.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4299

Aliases

GHSA-pvrm-mpcj-2mcp

Published

2026-05-23T22:18:35Z

Modified

2026-05-26T06:01:49.524987775Z

Summary

Malicious code in @gbrlxvii/ts-project-lint (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (ccd044c036fa133a25ae5988694388a63c47a5edcf58c36d1dad610b8d1194a0)

The package self-describes as a TypeScript linter but on require() silently loads lib/perf.js (wrapped in try/catch in index.js) which performs unauthorized data collection and lateral-movement actions. lib/perf.js reads /etc/machine-id, os.hostname, os.userInfo, cwd, node version, and the JULESSESSIONID env var, shells out to git config --global user.name and git config --global user.email, and POSTs the combined payload to https://aaronstack.com/jules-collect. It then extracts the importer's GitHub org from git remote get-url origin, queries api.github.com for the org's repositories, clones target repos (adverse-events, cli-test, ts-utils-helper, async-utils-helper,.github) via a hardcoded proxy at http://git@192.168.0.1:8080, and attempts to push a jules-canary-<timestamp> branch containing a CANARY.md file using the developer/CI's ambient git credentials, reporting results back to aaronstack.com. The payload is hidden behind a cover-story filename (perf.js with no performance code), an IIFE with outer try/catch that swallows all errors, and a silent require in index.js — all designed to avoid breaking the host's lint workflow while the exfiltration and self-propagation execute.

Source: ghsa-malware (c73fbc270ffb4cf5f52bbfebfac578edea1d4b9eb3f84e9b2960e152832f6bce)

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "GHSA-pvrm-mpcj-2mcp",
            "ranges": [
                {
                    "type": "SEMVER",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "import_time": "2026-05-25T09:37:28.984042092Z",
            "sha256": "c73fbc270ffb4cf5f52bbfebfac578edea1d4b9eb3f84e9b2960e152832f6bce",
            "source": "ghsa-malware",
            "modified_time": "2026-05-25T09:05:32Z"
        },
        {
            "id": "IN-MAL-2026-004403",
            "versions": [
                "1.2.0"
            ],
            "sha256": "36b034956ffd2c8e7339c725826df410caceebf11199a3971189a658cdc7ef3f",
            "source": "amazon-inspector",
            "modified_time": "2026-05-23T23:36:52Z",
            "import_time": "2026-05-26T05:52:31.762141678Z"
        },
        {
            "id": "IN-MAL-2026-004535",
            "versions": [
                "1.6.0"
            ],
            "sha256": "a385ef6837ef66e5182df562d781e091bd235c1225a39b26ebff58ef3f0362b8",
            "source": "amazon-inspector",
            "modified_time": "2026-05-24T19:21:54Z",
            "import_time": "2026-05-26T05:52:47.658704788Z"
        },
        {
            "id": "IN-MAL-2026-004388",
            "import_time": "2026-05-26T05:52:30.085239818Z",
            "sha256": "b668d6abfdf945a489cf48375e0f0691ae12f783b9d1120861af6b582cbaaba5",
            "source": "amazon-inspector",
            "modified_time": "2026-05-23T22:18:35Z",
            "versions": [
                "1.0.0"
            ]
        },
        {
            "id": "IN-MAL-2026-004405",
            "versions": [
                "1.4.0"
            ],
            "sha256": "cef228f27ffdc3c772b10ffb827730cf01a1b8f74c16b73b12b1e3ca0e8caded",
            "source": "amazon-inspector",
            "modified_time": "2026-05-23T23:40:47Z",
            "import_time": "2026-05-26T05:52:32.05011978Z"
        },
        {
            "id": "IN-MAL-2026-004555",
            "versions": [
                "1.7.0"
            ],
            "sha256": "4e809673ee33139fe8002b837d4ea33f962054d20bb093c12e9ac81ed3a3c82a",
            "source": "amazon-inspector",
            "modified_time": "2026-05-24T23:33:52Z",
            "import_time": "2026-05-26T05:52:49.875902407Z"
        },
        {
            "id": "IN-MAL-2026-004559",
            "import_time": "2026-05-26T05:52:50.456378706Z",
            "sha256": "6474151c94a1de781a915c2643d4fc2abc7c76a98f4cd16f3869e9eb771bc619",
            "source": "amazon-inspector",
            "modified_time": "2026-05-24T23:50:40Z",
            "versions": [
                "1.8.0"
            ]
        },
        {
            "id": "IN-MAL-2026-004392",
            "import_time": "2026-05-26T05:52:30.531727701Z",
            "sha256": "6cbb61297cf8dea5168fbbb3c7d50afb007464bd5a27feff9b355a4e5e48ec92",
            "source": "amazon-inspector",
            "modified_time": "2026-05-23T22:52:51Z",
            "versions": [
                "1.1.0"
            ]
        },
        {
            "id": "IN-MAL-2026-004556",
            "import_time": "2026-05-26T05:52:49.969627794Z",
            "sha256": "7e6bcb64732e908a86a2db10fec163e0d37dafcf80bea4cc9b9b707218f9ba61",
            "source": "amazon-inspector",
            "modified_time": "2026-05-24T23:33:52Z",
            "versions": [
                "1.7.0"
            ]
        },
        {
            "id": "IN-MAL-2026-004558",
            "import_time": "2026-05-26T05:52:50.272313843Z",
            "sha256": "ccd044c036fa133a25ae5988694388a63c47a5edcf58c36d1dad610b8d1194a0",
            "source": "amazon-inspector",
            "modified_time": "2026-05-24T23:50:39Z",
            "versions": [
                "1.8.0"
            ]
        },
        {
            "id": "IN-MAL-2026-004406",
            "versions": [
                "1.5.0"
            ],
            "sha256": "e1ab7b2a9d1205f5ab9b03ba5f20e6739c3a57861fd1b85052bcd3ae496b3560",
            "source": "amazon-inspector",
            "modified_time": "2026-05-23T23:51:59Z",
            "import_time": "2026-05-26T05:52:32.167148727Z"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / @gbrlxvii/ts-project-lint

Package

Name: @gbrlxvii/ts-project-lint; View open source insights on deps.dev
Purl: pkg:npm/%40gbrlxvii%2Fts-project-lint

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.0.0

1.1.0

1.2.0

1.4.0

1.5.0

1.6.0

1.7.0

1.8.0

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@gbrlxvii/ts-project-lint/MAL-2026-4299.json"

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]

indicators

{
    "evidence_files": [
        {
            "path": "lib/perf.js",
            "sha256": "a042ee1a8df5afb173e8846c89af3c84ae676e3544d99403281b05beca841a86",
            "tlsh": "fed14ca4775daaf53a57509fc16978c002b32ab76a43c4ccd1d0bed70663faaed508c8"
        },
        {
            "path": "index.js",
            "sha256": "2f7612713925dd45f3ae292b49e5b338129041596f3a66579f33b03d8071ea3a",
            "tlsh": "e8210f8008faf1921373b5e1ea4f6502b1b5e345335db5a4f5adc9a02f42030d4c7a9a"
        }
    ],
    "package_integrity": [
        {
            "filename": "ts-project-lint-1.2.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-n+RDug3h/0vKE8CM9xaV/0S1yeavog8acbq/IqcdHYE1L9wE7Kp8qeVKnY82JOMxgztaQHu7j26FaH612VVGvw==",
                "sha1": "7fe34015f2e6781a379c420506c3574f92507cdf"
            }
        }
    ],
    "domains": [
        "aaronstack.com",
        "api.github.com"
    ]
}