MAL-2026-5466

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/getd-eslint-rules/MAL-2026-5466.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5466

Published

2026-06-09T20:32:32Z

Modified

2026-06-09T21:01:34.323622721Z

Summary

Malicious code in getd-eslint-rules (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (17328047b2ec8dce82cfbdfd5b16c8f862d51dca26b02c9801587c220a48975a)

On npm install, postinstall.js collects host identifiers (os.hostname, os.userInfo username, os.platform, current working directory, CI environment variable, and package name/version) and sends them as query-string parameters in an HTTPS GET to a hardcoded webhook.site collector URL (postinstall.js line 18: https://webhook.site/18dc4281-d366-438a-9186-76fbcd56ade5?pkg=...&host=...&user=...&platform=...&cwd=...&ci=...). The fetch fires automatically on install and errors are silently swallowed. The package self-describes as a 'defensive typo-squat' research artifact, but installer-side identifiers are exfiltrated to a third-party request collector without consent regardless of stated intent. The package name pattern targets users who mistype an ESLint rules package, increasing the chance of unintended installation.

Database specific

{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-06-09T20:32:32Z",
            "versions": [
                "0.0.1"
            ],
            "sha256": "17328047b2ec8dce82cfbdfd5b16c8f862d51dca26b02c9801587c220a48975a",
            "id": "IN-MAL-2026-005215",
            "source": "amazon-inspector",
            "import_time": "2026-06-09T20:45:55.22851334Z"
        },
        {
            "modified_time": "2026-06-09T20:32:32Z",
            "versions": [
                "0.0.1"
            ],
            "sha256": "d5100344ca21b9a5e78114686b9c4e94dc86e198d7407318be782e9a57c6d8b7",
            "id": "IN-MAL-2026-005216",
            "source": "amazon-inspector",
            "import_time": "2026-06-09T20:45:55.352477842Z"
        }
    ]
}

References

https://www.npmjs.com/package/getd-eslint-rules/v/0.0.1

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / getd-eslint-rules

Package

Name: getd-eslint-rules; View open source insights on deps.dev
Purl: pkg:npm/getd-eslint-rules

Affected ranges

Affected versions

0.*

0.0.1

Database specific

indicators

{
    "domains": [
        "webhook.site"
    ],
    "evidence_files": [
        {
            "sha256": "4c012ed0db2ff88d1a8ce244a70fad334cb37a266e557b37538e7f9580f0f164",
            "tlsh": "062107b553f185201ee107c071bb140bba7bf1147697db90719d7341abf2539970356e",
            "path": "postinstall.js"
        }
    ],
    "package_integrity": [
        {
            "filename": "getd-eslint-rules-0.0.1.tgz",
            "hashes": {
                "sha512_sri": "sha512-sMUV36WTvfhEBK6fwK1Zn47eSgUWk9ODcQHR0BWIJY4F36CmSKy2n4Ca7Rxy6YSQ6wC9vKa3Vqe8hCDls9zC+w==",
                "sha1": "7be25ea4999283d3a2c134629b6b571d3607c1a4"
            }
        }
    ]
}

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/getd-eslint-rules/MAL-2026-5466.json"