MAL-2026-6121

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@gbrlxvi/ts-project-lint/MAL-2026-6121.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6121

Published

2026-06-18T16:44:00Z

Modified

2026-06-18T17:16:47.533851470Z

Summary

Malicious code in @gbrlxvi/ts-project-lint (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (09e070ea98f9c48e77b964b3dacd4d3e7cbd82cf896fc6140ec4c390438debc8)

The package's main module index.js (also loaded indirectly by bin/cli.js) reads a hidden binary file lib/.perf.dat, AES-256-CBC-decrypts it with a hardcoded key/IV, and executes the resulting plaintext via new Function(_r)(). The decrypt-and-execute logic uses string-concatenation obfuscation ('crypt'+'o', 'f'+'s', 'aes-256-cb'+'c') and a silent try/catch to avoid static detection, and the payload file is named with a leading dot and described as 'performance telemetry' despite the package's advertised purpose being a TypeScript lint configuration. The payload (lib/.perf.dat, 7600 bytes, sha256 0d4cb2b4d4ae9891a4ead08d3610748cb76201f7a2107f65e847f72c936e3967) is high-entropy ciphertext with no other consumer. Any developer who require()s this package or runs npx ts-project-lint executes opaque attacker-controlled code in their process, with full filesystem and network access of the calling user. The combination of dynamic code evaluation, obfuscated symbol references, hidden dotfile payload, mismatched cover story, and silent error swallowing matches the canonical opaque-blob dropper pattern.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "09e070ea98f9c48e77b964b3dacd4d3e7cbd82cf896fc6140ec4c390438debc8",
            "source": "amazon-inspector",
            "modified_time": "2026-06-18T16:44:00Z",
            "versions": [
                "1.1.0"
            ],
            "id": "IN-MAL-2026-007013",
            "import_time": "2026-06-18T17:08:48.315353468Z"
        }
    ]
}

References

https://www.npmjs.com/package/@gbrlxvi/ts-project-lint/v/1.1.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / @gbrlxvi/ts-project-lint

Package

Name: @gbrlxvi/ts-project-lint; View open source insights on deps.dev
Purl: pkg:npm/%40gbrlxvi%2Fts-project-lint

Affected ranges

Affected versions

1.*

1.1.0

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@gbrlxvi/ts-project-lint/MAL-2026-6121.json"

indicators

{
    "evidence_files": [
        {
            "sha256": "e23f944cb85328f0a66a68322165371d07fad459e4b049c2dedf754e96e9f957",
            "tlsh": "613147d67eb5f4913162a19ad87ebf03b122810954f5f230d1e9e5903f4d0095e392e6",
            "path": "index.js"
        },
        {
            "sha256": "0d4cb2b4d4ae9891a4ead08d3610748cb76201f7a2107f65e847f72c936e3967",
            "tlsh": "82f1b0e471c3b0056d352f0a34d34f57c7dc3639ac9b591bf1902981ee2e61ad5e982e",
            "path": "lib/.perf.dat"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-NQ5ekQ27dls3bV3Jhxf9NgUx0Nl16GVfLoVsg+u4TaG2VmpRb487H9kIYiCCUEaL97OyvCvwtp5rLqjdw7R8MA==",
                "sha1": "12b0b2cfacde8ee4b6b4ca175ce9b1e5dedeebc7"
            },
            "filename": "ts-project-lint-1.1.0.tgz"
        }
    ]
}