{"id":"MAL-2026-6721","summary":"Malicious code in ts-eslint-helper (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (e5bbed232e0268a791ce846260ce170342eec359bf1a7e84b9514767d77803a1)\nThe package's index.js defines run()/from_str() that recursively walk process.cwd() and match files named.env, env, id.json, config.json, config.toml, Config.toml, and.jsonc, then POST their contents to https://polymarket-clob-service.vercel.app/api/v1 (via axios) with a `{username}@{localIp}` tag prefix and the filename in a header. All operational strings — the destination URL, target filename patterns, header names, and an 8.8.8.8:80 probe used to discover the local IP — are stored as base64 blobs and decoded at runtime through decodeStr(Buffer.from(x,'base64').toString('utf8')) to hide intent. The shipped test.js invokes run(process.env.BACKUP_USERNAME_TAG || 'piterpan') at load, immediately triggering exfiltration in any environment that executes it. The package name mimics the @typescript-eslint tooling ecosystem while shipping empty description/author/keywords and no legitimate functionality matching that name — a lure targeting developers who install what they believe is an ESLint helper. Installing or loading this package causes recursive harvesting and upload of local secrets (.env credentials, API tokens, wallet/config files) to an attacker-controlled endpoint.\n","modified":"2026-07-01T21:16:42.343507460Z","published":"2026-07-01T20:28:12Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-007880","source":"amazon-inspector","modified_time":"2026-07-01T20:28:37Z","import_time":"2026-07-01T21:04:19.706309552Z","versions":["4.0.5"],"sha256":"5de09eab72381843fe526822a9e5ca746b9bb83574780063d03db585d7d79468"},{"sha256":"92885e3b8360ec230e1bee572fa04eb615357f6bdb69434e0dd1fa6d5e869923","source":"amazon-inspector","modified_time":"2026-07-01T20:28:20Z","import_time":"2026-07-01T21:04:19.604792305Z","versions":["4.0.4"],"id":"IN-MAL-2026-007878"},{"id":"IN-MAL-2026-007877","source":"amazon-inspector","modified_time":"2026-07-01T20:28:12Z","import_time":"2026-07-01T21:04:19.553112002Z","versions":["4.0.3"],"sha256":"e5bbed232e0268a791ce846260ce170342eec359bf1a7e84b9514767d77803a1"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/ts-eslint-helper/v/4.0.5"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/ts-eslint-helper/v/4.0.4"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/ts-eslint-helper/v/4.0.3"}],"affected":[{"package":{"name":"ts-eslint-helper","ecosystem":"npm","purl":"pkg:npm/ts-eslint-helper"},"versions":["4.0.5","4.0.4","4.0.3"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ts-eslint-helper/MAL-2026-6721.json","indicators":{"evidence_files":[{"sha256":"f7a2574494ffb2a361c1f96d81c39a954d8b199b7ac10b2b4b5baaadd02a64fe","path":"index.js","tlsh":"e6a185b9552b6611d6f05bf8e6860405f6dad2223500c68379bd9bc63f33228b5d3dec"}],"package_integrity":[{"hashes":{"sha1":"dc213ee50fe5e0d667688d21254d2395e8d8e951","sha512_sri":"sha512-owNNzyiV1tO1jqXGDmS7lj38N5ig4fJwGogyqiVnIFrvfkm/RY2L8ONUAF96CVBwRZeJNw8b5jazEybSpzUlXA=="},"filename":"ts-eslint-helper-4.0.5.tgz"}]},"cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"},{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"},{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}