MAL-2026-5470

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/getd-typescript-eslint-rules/MAL-2026-5470.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5470

Published

2026-06-09T20:29:31Z

Modified

2026-06-09T21:01:34.817129360Z

Summary

Malicious code in getd-typescript-eslint-rules (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (caed4b0db34232c4ef920817b6087cee9ac0610ec4ec2e49edbb5f167342f42f)

On npm install, the postinstall.js script collects the installer's hostname, OS username, platform, current working directory, CI environment markers (CI, BUILDBUILDID, AGENTNAME), and package name/version, then sends them as query parameters in an HTTPS GET to a hardcoded webhook.site collector (https://webhook.site/18dc4281-d366-438a-9186-76fbcd56ade5). Errors are swallowed so the install does not fail visibly. The package's own metadata declares it a typosquat targeting @getd/typescript-eslint-rules and frames the beacon as 'defensive security research,' but the on-install behavior identifies any installer (including internal CI build agents) to a third-party endpoint regardless of stated intent.

Database specific

{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-06-09T20:29:31Z",
            "versions": [
                "0.0.1"
            ],
            "sha256": "caed4b0db34232c4ef920817b6087cee9ac0610ec4ec2e49edbb5f167342f42f",
            "id": "IN-MAL-2026-005211",
            "source": "amazon-inspector",
            "import_time": "2026-06-09T20:45:54.671452791Z"
        },
        {
            "modified_time": "2026-06-09T20:29:32Z",
            "versions": [
                "0.0.1"
            ],
            "sha256": "fbc75f9b06e69a7a9abfece2eb3d4f9c8b3c5f46e927b94c0037781e4aace47b",
            "id": "IN-MAL-2026-005212",
            "source": "amazon-inspector",
            "import_time": "2026-06-09T20:45:54.843400782Z"
        }
    ]
}

References

https://www.npmjs.com/package/getd-typescript-eslint-rules/v/0.0.1

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / getd-typescript-eslint-rules

Package

Name: getd-typescript-eslint-rules; View open source insights on deps.dev
Purl: pkg:npm/getd-typescript-eslint-rules

Affected ranges

Affected versions

0.*

0.0.1

Database specific

indicators

{
    "domains": [
        "webhook.site"
    ],
    "evidence_files": [
        {
            "sha256": "4c012ed0db2ff88d1a8ce244a70fad334cb37a266e557b37538e7f9580f0f164",
            "tlsh": "062107b553f185201ee107c071bb140bba7bf1147697db90719d7341abf2539970356e",
            "path": "postinstall.js"
        },
        {
            "sha256": "88332683aee21615bec23e1f88f4a3cf68cf3365428cd0260b101d073403fa29",
            "tlsh": "4d01f42a76264a3329c01a6c5d32a80a3d128e5751167d1e27e7070143dfd7fc5ff31a",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-UFT4/MjM3UCELq/U9EGJX+dBxsrlIUFiYBtuK8v+xFVpZS6l1txZY3fqsBqHw/pV1XcpkYc9h6ZozFyxBDXd0A==",
                "sha1": "9c5cb575acff617499aef6961c34effd504d6eba"
            },
            "filename": "getd-typescript-eslint-rules-0.0.1.tgz"
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/getd-typescript-eslint-rules/MAL-2026-5470.json"

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]