{"id":"MAL-2026-4299","summary":"Malicious code in @gbrlxvii/ts-project-lint (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (ccd044c036fa133a25ae5988694388a63c47a5edcf58c36d1dad610b8d1194a0)\nThe package self-describes as a TypeScript linter but on require() silently loads lib/perf.js (wrapped in try/catch in index.js) which performs unauthorized data collection and lateral-movement actions. lib/perf.js reads /etc/machine-id, os.hostname, os.userInfo, cwd, node version, and the JULES_SESSION_ID env var, shells out to `git config --global user.name` and `git config --global user.email`, and POSTs the combined payload to https://aaronstack.com/jules-collect. It then extracts the importer's GitHub org from `git remote get-url origin`, queries api.github.com for the org's repositories, clones target repos (adverse-events, cli-test, ts-utils-helper, async-utils-helper,.github) via a hardcoded proxy at http://git@192.168.0.1:8080, and attempts to push a `jules-canary-\u003ctimestamp\u003e` branch containing a CANARY.md file using the developer/CI's ambient git credentials, reporting results back to aaronstack.com. The payload is hidden behind a cover-story filename (perf.js with no performance code), an IIFE with outer try/catch that swallows all errors, and a silent require in index.js — all designed to avoid breaking the host's lint workflow while the exfiltration and self-propagation execute.\n\n## Source: ghsa-malware (c73fbc270ffb4cf5f52bbfebfac578edea1d4b9eb3f84e9b2960e152832f6bce)\nAny computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.\n","aliases":["GHSA-pvrm-mpcj-2mcp"],"modified":"2026-05-26T06:01:49.524987775Z","published":"2026-05-23T22:18:35Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-05-25T09:05:32Z","sha256":"c73fbc270ffb4cf5f52bbfebfac578edea1d4b9eb3f84e9b2960e152832f6bce","import_time":"2026-05-25T09:37:28.984042092Z","ranges":[{"events":[{"introduced":"0"}],"type":"SEMVER"}],"id":"GHSA-pvrm-mpcj-2mcp","source":"ghsa-malware"},{"sha256":"36b034956ffd2c8e7339c725826df410caceebf11199a3971189a658cdc7ef3f","versions":["1.2.0"],"modified_time":"2026-05-23T23:36:52Z","import_time":"2026-05-26T05:52:31.762141678Z","id":"IN-MAL-2026-004403","source":"amazon-inspector"},{"sha256":"a385ef6837ef66e5182df562d781e091bd235c1225a39b26ebff58ef3f0362b8","versions":["1.6.0"],"modified_time":"2026-05-24T19:21:54Z","import_time":"2026-05-26T05:52:47.658704788Z","id":"IN-MAL-2026-004535","source":"amazon-inspector"},{"sha256":"b668d6abfdf945a489cf48375e0f0691ae12f783b9d1120861af6b582cbaaba5","versions":["1.0.0"],"modified_time":"2026-05-23T22:18:35Z","import_time":"2026-05-26T05:52:30.085239818Z","id":"IN-MAL-2026-004388","source":"amazon-inspector"},{"modified_time":"2026-05-23T23:40:47Z","versions":["1.4.0"],"sha256":"cef228f27ffdc3c772b10ffb827730cf01a1b8f74c16b73b12b1e3ca0e8caded","import_time":"2026-05-26T05:52:32.05011978Z","id":"IN-MAL-2026-004405","source":"amazon-inspector"},{"sha256":"4e809673ee33139fe8002b837d4ea33f962054d20bb093c12e9ac81ed3a3c82a","versions":["1.7.0"],"modified_time":"2026-05-24T23:33:52Z","import_time":"2026-05-26T05:52:49.875902407Z","id":"IN-MAL-2026-004555","source":"amazon-inspector"},{"sha256":"6474151c94a1de781a915c2643d4fc2abc7c76a98f4cd16f3869e9eb771bc619","versions":["1.8.0"],"modified_time":"2026-05-24T23:50:40Z","import_time":"2026-05-26T05:52:50.456378706Z","id":"IN-MAL-2026-004559","source":"amazon-inspector"},{"modified_time":"2026-05-23T22:52:51Z","versions":["1.1.0"],"sha256":"6cbb61297cf8dea5168fbbb3c7d50afb007464bd5a27feff9b355a4e5e48ec92","import_time":"2026-05-26T05:52:30.531727701Z","id":"IN-MAL-2026-004392","source":"amazon-inspector"},{"sha256":"7e6bcb64732e908a86a2db10fec163e0d37dafcf80bea4cc9b9b707218f9ba61","versions":["1.7.0"],"modified_time":"2026-05-24T23:33:52Z","import_time":"2026-05-26T05:52:49.969627794Z","id":"IN-MAL-2026-004556","source":"amazon-inspector"},{"modified_time":"2026-05-24T23:50:39Z","versions":["1.8.0"],"sha256":"ccd044c036fa133a25ae5988694388a63c47a5edcf58c36d1dad610b8d1194a0","import_time":"2026-05-26T05:52:50.272313843Z","id":"IN-MAL-2026-004558","source":"amazon-inspector"},{"sha256":"e1ab7b2a9d1205f5ab9b03ba5f20e6739c3a57861fd1b85052bcd3ae496b3560","versions":["1.5.0"],"modified_time":"2026-05-23T23:51:59Z","import_time":"2026-05-26T05:52:32.167148727Z","id":"IN-MAL-2026-004406","source":"amazon-inspector"}]},"references":[{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-pvrm-mpcj-2mcp"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@gbrlxvii/ts-project-lint/v/1.2.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@gbrlxvii/ts-project-lint/v/1.6.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@gbrlxvii/ts-project-lint/v/1.0.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@gbrlxvii/ts-project-lint/v/1.4.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@gbrlxvii/ts-project-lint/v/1.7.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@gbrlxvii/ts-project-lint/v/1.1.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@gbrlxvii/ts-project-lint/v/1.8.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@gbrlxvii/ts-project-lint/v/1.5.0"}],"affected":[{"package":{"name":"@gbrlxvii/ts-project-lint","ecosystem":"npm","purl":"pkg:npm/%40gbrlxvii%2Fts-project-lint"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}],"versions":["1.2.0","1.6.0","1.0.0","1.4.0","1.7.0","1.8.0","1.1.0","1.5.0"],"database_specific":{"cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}],"indicators":{"package_integrity":[{"filename":"ts-project-lint-1.2.0.tgz","hashes":{"sha1":"7fe34015f2e6781a379c420506c3574f92507cdf","sha512_sri":"sha512-n+RDug3h/0vKE8CM9xaV/0S1yeavog8acbq/IqcdHYE1L9wE7Kp8qeVKnY82JOMxgztaQHu7j26FaH612VVGvw=="}}],"evidence_files":[{"sha256":"a042ee1a8df5afb173e8846c89af3c84ae676e3544d99403281b05beca841a86","tlsh":"fed14ca4775daaf53a57509fc16978c002b32ab76a43c4ccd1d0bed70663faaed508c8","path":"lib/perf.js"},{"sha256":"2f7612713925dd45f3ae292b49e5b338129041596f3a66579f33b03d8071ea3a","tlsh":"e8210f8008faf1921373b5e1ea4f6502b1b5e345335db5a4f5adc9a02f42030d4c7a9a","path":"index.js"}],"domains":["aaronstack.com","api.github.com"]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@gbrlxvii/ts-project-lint/MAL-2026-4299.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}