{"id":"MAL-2026-5703","summary":"Malicious code in eslint-plugin-mistica-local-rules (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (c1d21f50741178986b63d1f330373131c2f3f502a5b94e76ca921ce185fab123)\npackage.json declares a preinstall hook that runs index.js automatically on npm install. index.js collects host identity (os.hostname(), os.platform(), os.arch(), os.userInfo() including uid/gid, shell, homedir, cwd) and the output of `whoami` and `id` via child_process, then POSTs the JSON payload to the hardcoded URL https://eucfugc8bk66haszliir75yd74dv1lpa.oastify.com/detox56 (a Burp Collaborator subdomain). The package ships no eslint rule implementation — its only effect on install is the recon/exfiltration beacon. The package name `eslint-plugin-mistica-local-rules` mimics the Telefónica Mistica design-system internal eslint-plugin namespace, consistent with a dependency-confusion attack against private-registry consumers.\n","modified":"2026-06-12T20:01:50.982455257Z","published":"2026-06-12T19:02:58Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-005836","source":"amazon-inspector","import_time":"2026-06-12T19:43:38.516424769Z","versions":["19.12.11"],"sha256":"72d5fe15c6bf5a8084dd7cb92869cfe7d7c8a667581dd8ba8c0de403bcfeff57","modified_time":"2026-06-12T19:02:58Z"},{"id":"IN-MAL-2026-005835","source":"amazon-inspector","import_time":"2026-06-12T19:43:38.418476887Z","versions":["19.12.11"],"sha256":"c1d21f50741178986b63d1f330373131c2f3f502a5b94e76ca921ce185fab123","modified_time":"2026-06-12T19:02:58Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/eslint-plugin-mistica-local-rules/v/19.12.11"}],"affected":[{"package":{"name":"eslint-plugin-mistica-local-rules","ecosystem":"npm","purl":"pkg:npm/eslint-plugin-mistica-local-rules"},"versions":["19.12.11"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/eslint-plugin-mistica-local-rules/MAL-2026-5703.json","indicators":{"evidence_files":[{"path":"index.js","tlsh":"a35151c515f65a241ba7b8494a4f9402a327e003350aee55bfcc8340af9937c9bf0bf2","sha256":"dbdb62f421441baa4dbb05960ca341c1174ebeca2be892702de1630626ec551e"},{"path":"package.json","tlsh":"aed02e200d21643369c102aa0c2ba0c772a2cf6f0014bc08a3df682c82ce37b88fb30d","sha256":"61f69ac09a506d72b97c08911ba8d1c3fd33713c1737601041e46db8003d4f87"}],"domains":["eucfugc8bk66haszliir75yd74dv1lpa.oastify.com"],"package_integrity":[{"hashes":{"sha512_sri":"sha512-ixWhgcKKEXP09K1YBvfK2xncuPtYEu2UvXokZqtvHH9Rfghn/WMCT+X/y+ONpjvNnbsVj22/u2Q0ll1ZyABHhQ==","sha1":"f18079c4bac792db77fa468435d28d3ab5591aaa"},"filename":"eslint-plugin-mistica-local-rules-19.12.11.tgz"}]},"cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}