MAL-2026-6721

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ts-eslint-helper/MAL-2026-6721.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-6721
Published
2026-07-01T20:28:12Z
Modified
2026-07-01T21:16:42.343507460Z
Summary
Malicious code in ts-eslint-helper (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (e5bbed232e0268a791ce846260ce170342eec359bf1a7e84b9514767d77803a1)

The package's index.js defines run()/fromstr() that recursively walk process.cwd() and match files named.env, env, id.json, config.json, config.toml, Config.toml, and.jsonc, then POST their contents to https://polymarket-clob-service.vercel.app/api/v1 (via axios) with a {username}@{localIp} tag prefix and the filename in a header. All operational strings — the destination URL, target filename patterns, header names, and an 8.8.8.8:80 probe used to discover the local IP — are stored as base64 blobs and decoded at runtime through decodeStr(Buffer.from(x,'base64').toString('utf8')) to hide intent. The shipped test.js invokes run(process.env.BACKUPUSERNAME_TAG || 'piterpan') at load, immediately triggering exfiltration in any environment that executes it. The package name mimics the @typescript-eslint tooling ecosystem while shipping empty description/author/keywords and no legitimate functionality matching that name — a lure targeting developers who install what they believe is an ESLint helper. Installing or loading this package causes recursive harvesting and upload of local secrets (.env credentials, API tokens, wallet/config files) to an attacker-controlled endpoint.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "4.0.5"
            ],
            "sha256": "5de09eab72381843fe526822a9e5ca746b9bb83574780063d03db585d7d79468",
            "source": "amazon-inspector",
            "modified_time": "2026-07-01T20:28:37Z",
            "id": "IN-MAL-2026-007880",
            "import_time": "2026-07-01T21:04:19.706309552Z"
        },
        {
            "versions": [
                "4.0.4"
            ],
            "sha256": "92885e3b8360ec230e1bee572fa04eb615357f6bdb69434e0dd1fa6d5e869923",
            "modified_time": "2026-07-01T20:28:20Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-007878",
            "import_time": "2026-07-01T21:04:19.604792305Z"
        },
        {
            "versions": [
                "4.0.3"
            ],
            "sha256": "e5bbed232e0268a791ce846260ce170342eec359bf1a7e84b9514767d77803a1",
            "source": "amazon-inspector",
            "modified_time": "2026-07-01T20:28:12Z",
            "id": "IN-MAL-2026-007877",
            "import_time": "2026-07-01T21:04:19.553112002Z"
        }
    ]
}
References
Credits

Affected packages

npm / ts-eslint-helper

Package

Affected ranges

Affected versions

4.*
4.0.3
4.0.4
4.0.5

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "ts-eslint-helper-4.0.5.tgz",
            "hashes": {
                "sha512_sri": "sha512-owNNzyiV1tO1jqXGDmS7lj38N5ig4fJwGogyqiVnIFrvfkm/RY2L8ONUAF96CVBwRZeJNw8b5jazEybSpzUlXA==",
                "sha1": "dc213ee50fe5e0d667688d21254d2395e8d8e951"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "f7a2574494ffb2a361c1f96d81c39a954d8b199b7ac10b2b4b5baaadd02a64fe",
            "path": "index.js",
            "tlsh": "e6a185b9552b6611d6f05bf8e6860405f6dad2223500c68379bd9bc63f33228b5d3dec"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ts-eslint-helper/MAL-2026-6721.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]