VDB
KO

MAL-2026-10076

Malicious code in ts-eslint-jest (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (8e1ffed26d2d64bf9076210504de22b87e27a065821dedbc708fb05f7c47db74) The package ts-eslint-jest@1.0.0 presents as a TypeScript/ESLint/Jest helper but ships lib/collect.js, which imports child_process and invokes execSync('bash...') at line 205 and execSync('zsh...') at line 221. This code shape — spawning interactive shells from a purported linting/testing helper — is inconsistent with the package's declared purpose and matches the shell-history / environment harvesting fingerprint used to collect credentials, tokens, and connection strings from a developer's shell state. The name is also a lookalike of legitimate TypeScript/ESLint/Jest tooling, which supports a lure/typosquat framing. Automated tracing of collect.js was blocked by the provider's malware-content filter, which corroborates that the traced code reads as operational credential-harvesting logic rather than benign build/lint helpers.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / ts-eslint-jest

No fixed version published yet for ts-eslint-jest (npm). Pin to a known-safe version or switch to an alternative.

References