npm · Malicious package advisory
Malwareeslint-plugin-mistica-local-rules
MAL-2026-5703
Malicious code in eslint-plugin-mistica-local-rules (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (c1d21f50741178986b63d1f330373131c2f3f502a5b94e76ca921ce185fab123) package.json declares a preinstall hook that runs index.js automatically on npm install. index.js collects host identity (os.hostname(), os.platform(), os.arch(), os.userInfo() including uid/gid, shell, homedir, cwd) and the output of `whoami` and `id` via child_process, then POSTs the JSON payload to the hardcoded URL https://eucfugc8bk66haszliir75yd74dv1lpa.oastify.com/detox56 (a Burp Collaborator subdomain). The package ships no eslint rule implementation — its only effect on install is the recon/exfiltration beacon. The package name `eslint-plugin-mistica-local-rules` mimics the Telefónica Mistica design-system internal eslint-plugin namespace, consistent with a dependency-confusion attack against private-registry consumers.
Compromised versions (1)
- 19.12.11
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.