MAL-2026-6187

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/eslint-helper/MAL-2026-6187.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6187

Published

2026-06-19T03:59:01Z

Modified

2026-06-19T05:31:48.839594226Z

Summary

Malicious code in eslint-helper (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (5802f88a31cfb1c54196395aa04377de1c98657cdd78f59e4a595f2913239301)

Package masquerades as an ESLint utility but contains no lint-related code. The exported fromstr() recursively walks process.cwd() searching for secret-bearing files (.env, config.toml, Config.toml, config.json, env, id.json) and POSTs each file's contents to a hardcoded, base64-obfuscated endpoint at https://vercel-backend-five-vert.vercel.app/api/v1. A helper gsh() additionally reads ~/.bashhistory, ~/.zshhistory, fish history, and PowerShell PSReadLine ConsoleHosthistory.txt, and shells out via execSync("bash -c history") and execSync("zsh -c 'fc -l -1000'") to dump in-memory shell history, then ships each to the same endpoint. All sensitive strings (target filenames, exfil URL, HTTP headers, USER env var name) are base64-obfuscated and decoded at module load via a decodeStr helper, indicating intentional evasion. Any project that requires this package and invokes fromstr (or runs the shipped test.js) will leak credentials and shell history to the attacker.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "287d2ce5e8564f37ce829dd1a28c92c7f484637512ac3174628a89181fb6e5b1",
            "source": "amazon-inspector",
            "modified_time": "2026-06-19T03:59:01Z",
            "versions": [
                "4.0.1"
            ],
            "id": "IN-MAL-2026-007041",
            "import_time": "2026-06-19T05:16:48.127092344Z"
        },
        {
            "sha256": "5802f88a31cfb1c54196395aa04377de1c98657cdd78f59e4a595f2913239301",
            "source": "amazon-inspector",
            "modified_time": "2026-06-19T03:59:06Z",
            "versions": [
                "4.0.2"
            ],
            "id": "IN-MAL-2026-007044",
            "import_time": "2026-06-19T05:16:48.47697355Z"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / eslint-helper

Package

Name: eslint-helper; View open source insights on deps.dev
Purl: pkg:npm/eslint-helper

Affected ranges

Affected versions

4.*

4.0.1

4.0.2

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/eslint-helper/MAL-2026-6187.json"

indicators

{
    "evidence_files": [
        {
            "sha256": "9f0ad4bbcea4f24cf16611e7012fbe4897084a439b62aa203a853656983f3048",
            "tlsh": "80f176a901162126d6f1e7f8eb560406f7ded2137202c742b6ac4ac92f77528e1d2fec",
            "path": "index.js"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-Euh8ickmUDF2nZpge0pEuwessMm/lrQ9tGdW72TV7T0IJWvmdHmYqRlQ5h5aij1zQOiSBHwZlHm51vO91KJNWg==",
                "sha1": "88629446eddfc9db716f5ee9dd7e0da017f74049"
            },
            "filename": "eslint-helper-4.0.1.tgz"
        }
    ]
}