MAL-2026-6567

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/eslint-commit-parser/MAL-2026-6567.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-6567
Published
2026-06-29T04:00:16Z
Modified
2026-06-29T07:16:43.380517867Z
Summary
Malicious code in eslint-commit-parser (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (5fc51e200a141d1dbbb4f7eb9e5e3dec18507572e5dc9562278713c554fad195)

The package is published under the name eslint-commit-parser but its contents are a verbatim copy of the supertest HTTP-testing library — package.json carries supertest's description ("SuperAgent driven library for testing HTTP servers") and repository URL (https://github.com/ladjs/supertest.git), and the shipped source is supertest's. A developer who installs eslint-commit-parser expecting an ESLint commit parser receives unrelated code. package.json additionally declares a runtime dependency on express-mocha-test@^0.0.1, but no file in the tarball requires or imports that module — its only effect on the installer is to be resolved and installed alongside the carrier. The combination of a deceptive package name, contents that have no relation to the advertised identity, and an unused low-version unfamiliar transitive is the standard namespace-abuse / dependency-confusion carrier shape: the host package is hollow with respect to its declared identity and its purpose on install is to drag express-mocha-test onto the installer's machine.

Source: ossf-package-analysis (8631c673a2ca9fdebee382762a69c849485f6e2aa3c749173dea8d0f0f6e090b)

The OpenSSF Package Analysis project identified 'eslint-commit-parser' @ 1.0.0 (npm) as malicious.

It is considered malicious because:

  • The package communicates with a domain associated with malicious activity.
Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "8631c673a2ca9fdebee382762a69c849485f6e2aa3c749173dea8d0f0f6e090b",
            "import_time": "2026-06-29T05:06:59.969737726Z",
            "modified_time": "2026-06-29T04:00:16Z",
            "source": "ossf-package-analysis",
            "versions": [
                "1.0.0"
            ]
        },
        {
            "versions": [
                "1.0.0"
            ],
            "sha256": "5fc51e200a141d1dbbb4f7eb9e5e3dec18507572e5dc9562278713c554fad195",
            "source": "amazon-inspector",
            "import_time": "2026-06-29T07:09:11.290201044Z",
            "ranges": [
                {
                    "type": "SEMVER",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "id": "IN-MAL-2026-007769",
            "modified_time": "2026-06-29T06:45:57Z"
        }
    ]
}
References
Credits

Affected packages

npm / eslint-commit-parser

Package

Name
eslint-commit-parser
View open source insights on deps.dev
Purl
pkg:npm/eslint-commit-parser

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.0.0

Database specific

cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
indicators
{
    "package_integrity": [
        {
            "filename": "eslint-commit-parser-1.0.0.tgz",
            "hashes": {
                "sha1": "f3a4bdcff0635da367afc0ea6336c77556369b64",
                "sha512_sri": "sha512-rh+9ACcYrTPkHPchTpGz0grLudQkphQFzjJHS8EUsJk5BwGmzdyq/h0z6iJVydUyfKnAVoDUUz2gFw9dt/O8Mg=="
            }
        }
    ],
    "evidence_files": [
        {
            "tlsh": "fb319b33d8988d6b46f5a7ae79798381f1219b1f50a0cc0ff5ba139c8fb205710a9b95",
            "sha256": "19f18d80ea31deeb4ea38fccb82f6483f0f3f9d80adbaf73d05818a2c28b1b57",
            "path": "package.json"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/eslint-commit-parser/MAL-2026-6567.json"