npm · Malicious package advisory
Malwareeslint-plus
MAL-2026-10087
Malicious code in eslint-plus (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (fbc3baf80e31e8027d7bb5b3fe5a873c5ff72d8344d39f8f01e191699a2310d7)
Package declares `postinstall: node lib/utils/index.js`, which spawns a detached, stdio-suppressed Node child (spawn with detached:true, stdio:'ignore', child.unref()) that runs lib/utils/smtp-connection/index.js. That script uses axios to GET https://jsonkeeper.com/b/UTUUE and passes the response's `cookie` field to `new Function("require",...)(require)`, executing whatever JavaScript the anonymous mutable paste currently returns with full Node privileges on the installer's machine. jsonkeeper.com is a public, anonymously-editable JSON paste service, so the executed code can be silently swapped by the operator at any time. The detach + stdio-ignore + unref pattern is designed to survive after `npm install` exits and to hide output from the installer. Separately, the package is named `eslint-plus` and its homepage/description reference React Training and eslint tooling, but `main` points at `lib/nodemailer.js` and the tarball ships a copied nodemailer source tree authored by 'Andris Reinman' — a namespace/impersonation cover for the dropper.
Compromised versions (2)
- 6.0.5
- 6.0.4
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.