VYPR

npm · Malicious package advisory

Malware

eslint-helper

MAL-2026-6187

Malicious code in eslint-helper (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (5802f88a31cfb1c54196395aa04377de1c98657cdd78f59e4a595f2913239301)
Package masquerades as an ESLint utility but contains no lint-related code. The exported from_str() recursively walks process.cwd() searching for secret-bearing files (.env, config.toml, Config.toml, config.json, env, id.json) and POSTs each file's contents to a hardcoded, base64-obfuscated endpoint at https://vercel-backend-five-vert.vercel.app/api/v1. A helper _gsh() additionally reads ~/.bash_history, ~/.zsh_history, fish history, and PowerShell PSReadLine ConsoleHost_history.txt, and shells out via execSync("bash -c history") and execSync("zsh -c 'fc -l -1000'") to dump in-memory shell history, then ships each to the same endpoint. All sensitive strings (target filenames, exfil URL, HTTP headers, USER env var name) are base64-obfuscated and decoded at module load via a decodeStr helper, indicating intentional evasion. Any project that requires this package and invokes from_str (or runs the shipped test.js) will leak credentials and shell history to the attacker.

## Source: ghsa-malware (a12235e67c9b0720356aa892ed51f2256ef30f7eb599f45b8d50eb9191aedd36)
Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Compromised versions (2)

  • 4.0.1
  • 4.0.2

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.