{"id":"MAL-2026-10087","summary":"Malicious code in eslint-plus (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (fbc3baf80e31e8027d7bb5b3fe5a873c5ff72d8344d39f8f01e191699a2310d7)\nPackage declares `postinstall: node lib/utils/index.js`, which spawns a detached, stdio-suppressed Node child (spawn with detached:true, stdio:'ignore', child.unref()) that runs lib/utils/smtp-connection/index.js. That script uses axios to GET https://jsonkeeper.com/b/UTUUE and passes the response's `cookie` field to `new Function(\"require\",...)(require)`, executing whatever JavaScript the anonymous mutable paste currently returns with full Node privileges on the installer's machine. jsonkeeper.com is a public, anonymously-editable JSON paste service, so the executed code can be silently swapped by the operator at any time. The detach + stdio-ignore + unref pattern is designed to survive after `npm install` exits and to hide output from the installer. Separately, the package is named `eslint-plus` and its homepage/description reference React Training and eslint tooling, but `main` points at `lib/nodemailer.js` and the tarball ships a copied nodemailer source tree authored by 'Andris Reinman' — a namespace/impersonation cover for the dropper.\n","modified":"2026-07-09T17:31:54.035289641Z","published":"2026-07-09T16:50:45Z","database_specific":{"malicious-packages-origins":[{"versions":["6.0.5"],"sha256":"6360adb10a187657f54fabe4bfa066299ac0bfde2e8d932ede94dd5ef702764e","modified_time":"2026-07-09T16:50:45Z","source":"amazon-inspector","import_time":"2026-07-09T17:19:23.955949626Z","id":"IN-MAL-2026-009324"},{"versions":["6.0.4"],"sha256":"fbc3baf80e31e8027d7bb5b3fe5a873c5ff72d8344d39f8f01e191699a2310d7","modified_time":"2026-07-09T16:50:52Z","source":"amazon-inspector","import_time":"2026-07-09T17:19:24.075948899Z","id":"IN-MAL-2026-009325"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/eslint-plus/v/6.0.5"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/eslint-plus/v/6.0.4"}],"affected":[{"package":{"name":"eslint-plus","ecosystem":"npm","purl":"pkg:npm/eslint-plus"},"versions":["6.0.5","6.0.4"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/eslint-plus/MAL-2026-10087.json","indicators":{"package_integrity":[{"hashes":{"sha1":"ade5bbafd821909a086f377ab68ed84795035eb1","sha512_sri":"sha512-qXTs/NYqDQhPtzHQ81rL7Oja60YfZMMyMCWXqOl7GfBipGVa+nBh3QYp+e1aCv9Va0n6g0bHR4q7jerxkPHz9g=="},"filename":"eslint-plus-6.0.5.tgz"}],"evidence_files":[{"tlsh":"d7c0806b37c8651e212610e6674e50147123c9334d46d4d9f3550bf665e1ec61a21eb5","sha256":"272e2630805ca7c17b8fa9fb97b72ccde362c001c0feed643ecd0cd9c9e8bb26","path":"lib/utils/smtp-connection/index.js"},{"tlsh":"dae0686a23533738a034cbc1da30ce3b258b8020b365a0e0f00c406a2bc72c406ea8da","sha256":"9fb27c30f484650bb4a39f65a03fbccdc0b9b5f1cb84700ca73ee8893c66e06e","path":"lib/utils/index.js"},{"tlsh":"1341ef15ce6a8ce3279525ee786c22826460d00fcd47b81db39d134c8f8e95f32b9a6d","sha256":"f0e9c766900ea6930e946fd1ae532fdcc3ba0a215ca3f687c0265069fa43bba8","path":"package.json"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}