VDB
KO

MAL-2026-10087

Malicious code in eslint-plus (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (fbc3baf80e31e8027d7bb5b3fe5a873c5ff72d8344d39f8f01e191699a2310d7) Package declares `postinstall: node lib/utils/index.js`, which spawns a detached, stdio-suppressed Node child (spawn with detached:true, stdio:'ignore', child.unref()) that runs lib/utils/smtp-connection/index.js. That script uses axios to GET https://jsonkeeper.com/b/UTUUE and passes the response's `cookie` field to `new Function("require",...)(require)`, executing whatever JavaScript the anonymous mutable paste currently returns with full Node privileges on the installer's machine. jsonkeeper.com is a public, anonymously-editable JSON paste service, so the executed code can be silently swapped by the operator at any time. The detach + stdio-ignore + unref pattern is designed to survive after `npm install` exits and to hide output from the installer. Separately, the package is named `eslint-plus` and its homepage/description reference React Training and eslint tooling, but `main` points at `lib/nodemailer.js` and the tarball ships a copied nodemailer source tree authored by 'Andris Reinman' — a namespace/impersonation cover for the dropper.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / eslint-plus

No fixed version published yet for eslint-plus (npm). Pin to a known-safe version or switch to an alternative.

References