VYPR

npm · Malicious package advisory

Malware

eslint-plugin-mistica-local-rules

MAL-2026-5703

Malicious code in eslint-plugin-mistica-local-rules (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (c1d21f50741178986b63d1f330373131c2f3f502a5b94e76ca921ce185fab123)
package.json declares a preinstall hook that runs index.js automatically on npm install. index.js collects host identity (os.hostname(), os.platform(), os.arch(), os.userInfo() including uid/gid, shell, homedir, cwd) and the output of `whoami` and `id` via child_process, then POSTs the JSON payload to the hardcoded URL https://eucfugc8bk66haszliir75yd74dv1lpa.oastify.com/detox56 (a Burp Collaborator subdomain). The package ships no eslint rule implementation — its only effect on install is the recon/exfiltration beacon. The package name `eslint-plugin-mistica-local-rules` mimics the Telefónica Mistica design-system internal eslint-plugin namespace, consistent with a dependency-confusion attack against private-registry consumers.

Compromised versions (1)

  • 19.12.11

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.