MAL-2026-6195

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ts-linter-builders/MAL-2026-6195.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6195

Published

2026-06-19T04:30:48Z

Modified

2026-06-19T05:31:48.195980929Z

Summary

Malicious code in ts-linter-builders (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (a22153f1e71ba9fb51ce22d5fc57180ce4d8998995fbc4bd554d6dd532c195b6)

index.js imports childprocess and contains a hardcoded outbound POST to https://tg-wallet-manager.vercel.app, with additional fetch() calls to the same destination. The code reads environment data and host identifiers and ships them to this attacker-controlled endpoint. The package name advertises a TypeScript linter helper, but the embedded behavior is unrelated to linting and matches the shape of a credential/host-info beacon. The hardcoded third-party Vercel-hosted endpoint, combined with environment reads and childprocess import, constitutes an installer-side exfiltration / RCE staging surface with no legitimate purpose for a 'linter builder' package.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "a22153f1e71ba9fb51ce22d5fc57180ce4d8998995fbc4bd554d6dd532c195b6",
            "source": "amazon-inspector",
            "modified_time": "2026-06-19T04:30:48Z",
            "versions": [
                "1.0.4"
            ],
            "id": "IN-MAL-2026-007045",
            "import_time": "2026-06-19T05:16:48.600745745Z"
        }
    ]
}

References

https://www.npmjs.com/package/ts-linter-builders/v/1.0.4

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / ts-linter-builders

Package

Name: ts-linter-builders; View open source insights on deps.dev
Purl: pkg:npm/ts-linter-builders

Affected ranges

Affected versions

1.*

1.0.4

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ts-linter-builders/MAL-2026-6195.json"

indicators

{
    "evidence_files": [
        {
            "sha256": "40f9a81d39fc4fc5a1895aa2f82b01fab53b5eae8b61c80885affddb485db439",
            "tlsh": "28f164d991372661cfb233b85a03100dfbdad12339028651b6ec46486f7b52865e2eee",
            "path": "index.js"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-pD2FpJNDdBZ4OTc6yapxR4iYqBBkzlOCfqvjlBLqu36W7LZQuZZakGkxcK6084DFlIGC2Si82QT4tvAZX0a//g==",
                "sha1": "b2b1e7e742e14de6f25aaed7e0eb43d651f949e3"
            },
            "filename": "ts-linter-builders-1.0.4.tgz"
        }
    ]
}