VYPR

npm · Malicious package advisory

Malware

ts-eslinter

MAL-2026-6896

Malicious code in ts-eslinter (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (56fe794783cf855aba4980f7186b85866fd3048cbb97803fe8c575192cb30d44)
Package name resembles common ESLint/TypeScript tooling and the main entry index.js contains base64 decoding via Buffer.from(..., 'base64').toString('utf8') at line 7 (with another Buffer.from at line 86). Base64 decoding of an embedded string is a common precursor to obfuscated payload execution, but it is also used for many legitimate purposes (config blobs, asset embedding, default keys). Without traced execution showing the decoded bytes being eval'd, executed via child_process, or sent over the network, intent cannot be confirmed from the available evidence. The name is also close to legitimate linter packages, which warrants a human look.

## Source: ghsa-malware (a31a70f73d25ed15fda28427e476afffbf8c8c5a617b9afb8c5d1b76d11d9154)
Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Compromised versions (1)

  • 1.0.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.