mal-2026-6721
Vulnerability from ossf_malicious_packages
Published
2026-07-01 20:28
Modified
2026-07-01 21:06
Summary
Malicious code in ts-eslint-helper (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (e5bbed232e0268a791ce846260ce170342eec359bf1a7e84b9514767d77803a1)

The package's index.js defines run()/from_str() that recursively walk process.cwd() and match files named.env, env, id.json, config.json, config.toml, Config.toml, and.jsonc, then POST their contents to https://polymarket-clob-service.vercel.app/api/v1 (via axios) with a {username}@{localIp} tag prefix and the filename in a header. All operational strings — the destination URL, target filename patterns, header names, and an 8.8.8.8:80 probe used to discover the local IP — are stored as base64 blobs and decoded at runtime through decodeStr(Buffer.from(x,'base64').toString('utf8')) to hide intent. The shipped test.js invokes run(process.env.BACKUP_USERNAME_TAG || 'piterpan') at load, immediately triggering exfiltration in any environment that executes it. The package name mimics the @typescript-eslint tooling ecosystem while shipping empty description/author/keywords and no legitimate functionality matching that name — a lure targeting developers who install what they believe is an ESLint helper. Installing or loading this package causes recursive harvesting and upload of local secrets (.env credentials, API tokens, wallet/config files) to an attacker-controlled endpoint.

CWE
  • CWE-506 - The product contains code that appears to be malicious in nature.
  • CWE-506 - The product contains code that appears to be malicious in nature.
  • CWE-506 - The product contains code that appears to be malicious in nature.
Credits

{
  "affected": [
    {
      "database_specific": {
        "cwes": [
          {
            "cweId": "CWE-506",
            "description": "The product contains code that appears to be malicious in nature.",
            "name": "Embedded Malicious Code"
          },
          {
            "cweId": "CWE-506",
            "description": "The product contains code that appears to be malicious in nature.",
            "name": "Embedded Malicious Code"
          },
          {
            "cweId": "CWE-506",
            "description": "The product contains code that appears to be malicious in nature.",
            "name": "Embedded Malicious Code"
          }
        ],
        "indicators": {
          "evidence_files": [
            {
              "path": "index.js",
              "sha256": "f7a2574494ffb2a361c1f96d81c39a954d8b199b7ac10b2b4b5baaadd02a64fe",
              "tlsh": "e6a185b9552b6611d6f05bf8e6860405f6dad2223500c68379bd9bc63f33228b5d3dec"
            }
          ],
          "package_integrity": [
            {
              "filename": "ts-eslint-helper-4.0.5.tgz",
              "hashes": {
                "sha1": "dc213ee50fe5e0d667688d21254d2395e8d8e951",
                "sha512_sri": "sha512-owNNzyiV1tO1jqXGDmS7lj38N5ig4fJwGogyqiVnIFrvfkm/RY2L8ONUAF96CVBwRZeJNw8b5jazEybSpzUlXA=="
              }
            }
          ]
        }
      },
      "package": {
        "ecosystem": "npm",
        "name": "ts-eslint-helper"
      },
      "versions": [
        "4.0.5",
        "4.0.4",
        "4.0.3"
      ]
    }
  ],
  "credits": [
    {
      "contact": [
        "inspector-research@amazon.com"
      ],
      "name": "Amazon Inspector",
      "type": "FINDER"
    }
  ],
  "database_specific": {
    "malicious-packages-origins": [
      {
        "id": "IN-MAL-2026-007880",
        "import_time": "2026-07-01T21:04:19.706309552Z",
        "modified_time": "2026-07-01T20:28:37Z",
        "sha256": "5de09eab72381843fe526822a9e5ca746b9bb83574780063d03db585d7d79468",
        "source": "amazon-inspector",
        "versions": [
          "4.0.5"
        ]
      },
      {
        "id": "IN-MAL-2026-007878",
        "import_time": "2026-07-01T21:04:19.604792305Z",
        "modified_time": "2026-07-01T20:28:20Z",
        "sha256": "92885e3b8360ec230e1bee572fa04eb615357f6bdb69434e0dd1fa6d5e869923",
        "source": "amazon-inspector",
        "versions": [
          "4.0.4"
        ]
      },
      {
        "id": "IN-MAL-2026-007877",
        "import_time": "2026-07-01T21:04:19.553112002Z",
        "modified_time": "2026-07-01T20:28:12Z",
        "sha256": "e5bbed232e0268a791ce846260ce170342eec359bf1a7e84b9514767d77803a1",
        "source": "amazon-inspector",
        "versions": [
          "4.0.3"
        ]
      }
    ]
  },
  "details": "\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (e5bbed232e0268a791ce846260ce170342eec359bf1a7e84b9514767d77803a1)\nThe package\u0027s index.js defines run()/from_str() that recursively walk process.cwd() and match files named.env, env, id.json, config.json, config.toml, Config.toml, and.jsonc, then POST their contents to https://polymarket-clob-service.vercel.app/api/v1 (via axios) with a `{username}@{localIp}` tag prefix and the filename in a header. All operational strings \u2014 the destination URL, target filename patterns, header names, and an 8.8.8.8:80 probe used to discover the local IP \u2014 are stored as base64 blobs and decoded at runtime through decodeStr(Buffer.from(x,\u0027base64\u0027).toString(\u0027utf8\u0027)) to hide intent. The shipped test.js invokes run(process.env.BACKUP_USERNAME_TAG || \u0027piterpan\u0027) at load, immediately triggering exfiltration in any environment that executes it. The package name mimics the @typescript-eslint tooling ecosystem while shipping empty description/author/keywords and no legitimate functionality matching that name \u2014 a lure targeting developers who install what they believe is an ESLint helper. Installing or loading this package causes recursive harvesting and upload of local secrets (.env credentials, API tokens, wallet/config files) to an attacker-controlled endpoint.\n",
  "id": "MAL-2026-6721",
  "modified": "2026-07-01T21:06:13Z",
  "published": "2026-07-01T20:28:12Z",
  "references": [
    {
      "type": "PACKAGE",
      "url": "https://www.npmjs.com/package/ts-eslint-helper/v/4.0.5"
    },
    {
      "type": "PACKAGE",
      "url": "https://www.npmjs.com/package/ts-eslint-helper/v/4.0.4"
    },
    {
      "type": "PACKAGE",
      "url": "https://www.npmjs.com/package/ts-eslint-helper/v/4.0.3"
    }
  ],
  "schema_version": "1.7.4",
  "summary": "Malicious code in ts-eslint-helper (npm)"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…