-= Per source details. Do not edit below this line.=-
The package is published under the name eslint-commit-parser but its contents are a verbatim copy of the supertest HTTP-testing library — package.json carries supertest's description ("SuperAgent driven library for testing HTTP servers") and repository URL (https://github.com/ladjs/supertest.git), and the shipped source is supertest's. A developer who installs eslint-commit-parser expecting an ESLint commit parser receives unrelated code. package.json additionally declares a runtime dependency on express-mocha-test@^0.0.1, but no file in the tarball requires or imports that module — its only effect on the installer is to be resolved and installed alongside the carrier. The combination of a deceptive package name, contents that have no relation to the advertised identity, and an unused low-version unfamiliar transitive is the standard namespace-abuse / dependency-confusion carrier shape: the host package is hollow with respect to its declared identity and its purpose on install is to drag express-mocha-test onto the installer's machine.
The OpenSSF Package Analysis project identified 'eslint-commit-parser' @ 1.0.0 (npm) as malicious.
It is considered malicious because:
{
"malicious-packages-origins": [
{
"sha256": "8631c673a2ca9fdebee382762a69c849485f6e2aa3c749173dea8d0f0f6e090b",
"import_time": "2026-06-29T05:06:59.969737726Z",
"modified_time": "2026-06-29T04:00:16Z",
"source": "ossf-package-analysis",
"versions": [
"1.0.0"
]
},
{
"versions": [
"1.0.0"
],
"sha256": "5fc51e200a141d1dbbb4f7eb9e5e3dec18507572e5dc9562278713c554fad195",
"source": "amazon-inspector",
"import_time": "2026-06-29T07:09:11.290201044Z",
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
}
]
}
],
"id": "IN-MAL-2026-007769",
"modified_time": "2026-06-29T06:45:57Z"
}
]
}[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
{
"package_integrity": [
{
"filename": "eslint-commit-parser-1.0.0.tgz",
"hashes": {
"sha1": "f3a4bdcff0635da367afc0ea6336c77556369b64",
"sha512_sri": "sha512-rh+9ACcYrTPkHPchTpGz0grLudQkphQFzjJHS8EUsJk5BwGmzdyq/h0z6iJVydUyfKnAVoDUUz2gFw9dt/O8Mg=="
}
}
],
"evidence_files": [
{
"tlsh": "fb319b33d8988d6b46f5a7ae79798381f1219b1f50a0cc0ff5ba139c8fb205710a9b95",
"sha256": "19f18d80ea31deeb4ea38fccb82f6483f0f3f9d80adbaf73d05818a2c28b1b57",
"path": "package.json"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/eslint-commit-parser/MAL-2026-6567.json"