MAL-2026-5703

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/eslint-plugin-mistica-local-rules/MAL-2026-5703.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5703

Published

2026-06-12T19:02:58Z

Modified

2026-06-12T20:01:50.982455257Z

Summary

Malicious code in eslint-plugin-mistica-local-rules (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (c1d21f50741178986b63d1f330373131c2f3f502a5b94e76ca921ce185fab123)

package.json declares a preinstall hook that runs index.js automatically on npm install. index.js collects host identity (os.hostname(), os.platform(), os.arch(), os.userInfo() including uid/gid, shell, homedir, cwd) and the output of whoami and id via child_process, then POSTs the JSON payload to the hardcoded URL https://eucfugc8bk66haszliir75yd74dv1lpa.oastify.com/detox56 (a Burp Collaborator subdomain). The package ships no eslint rule implementation — its only effect on install is the recon/exfiltration beacon. The package name eslint-plugin-mistica-local-rules mimics the Telefónica Mistica design-system internal eslint-plugin namespace, consistent with a dependency-confusion attack against private-registry consumers.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "72d5fe15c6bf5a8084dd7cb92869cfe7d7c8a667581dd8ba8c0de403bcfeff57",
            "source": "amazon-inspector",
            "modified_time": "2026-06-12T19:02:58Z",
            "versions": [
                "19.12.11"
            ],
            "id": "IN-MAL-2026-005836",
            "import_time": "2026-06-12T19:43:38.516424769Z"
        },
        {
            "sha256": "c1d21f50741178986b63d1f330373131c2f3f502a5b94e76ca921ce185fab123",
            "source": "amazon-inspector",
            "modified_time": "2026-06-12T19:02:58Z",
            "versions": [
                "19.12.11"
            ],
            "id": "IN-MAL-2026-005835",
            "import_time": "2026-06-12T19:43:38.418476887Z"
        }
    ]
}

References

https://www.npmjs.com/package/eslint-plugin-mistica-local-rules/v/19.12.11

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / eslint-plugin-mistica-local-rules

Package

Name: eslint-plugin-mistica-local-rules; View open source insights on deps.dev
Purl: pkg:npm/eslint-plugin-mistica-local-rules

Affected ranges

Affected versions

19.*

19.12.11

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/eslint-plugin-mistica-local-rules/MAL-2026-5703.json"

indicators

{
    "evidence_files": [
        {
            "sha256": "dbdb62f421441baa4dbb05960ca341c1174ebeca2be892702de1630626ec551e",
            "tlsh": "a35151c515f65a241ba7b8494a4f9402a327e003350aee55bfcc8340af9937c9bf0bf2",
            "path": "index.js"
        },
        {
            "sha256": "61f69ac09a506d72b97c08911ba8d1c3fd33713c1737601041e46db8003d4f87",
            "tlsh": "aed02e200d21643369c102aa0c2ba0c772a2cf6f0014bc08a3df682c82ce37b88fb30d",
            "path": "package.json"
        }
    ],
    "domains": [
        "eucfugc8bk66haszliir75yd74dv1lpa.oastify.com"
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-ixWhgcKKEXP09K1YBvfK2xncuPtYEu2UvXokZqtvHH9Rfghn/WMCT+X/y+ONpjvNnbsVj22/u2Q0ll1ZyABHhQ==",
                "sha1": "f18079c4bac792db77fa468435d28d3ab5591aaa"
            },
            "filename": "eslint-plugin-mistica-local-rules-19.12.11.tgz"
        }
    ]
}