MAL-2026-10188
Malicious code in awesome-ts-jest (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (8dc9fa6bfe010d792303258bd713e854e8c218c18762d62b864e8a350d1b473e) Package advertises itself as a TypeScript/ESLint/Jest toolkit but ships no such tooling. On import, index.js -> run() -> packProjectBundle() walks the project CWD, the user's home directory, and (on Windows) drives C:-J: matching filenames against a wallet/seed/mnemonic/keystore/private-key/credential keyword list (wallet, mnemonic, privatekey, keystore, metamask, ledger, trezor,.env*, config.toml,.pem,.p12,.pfx). collectDevSecrets() additionally scans ~/projects, ~/dev, ~/code, ~/repos, ~/src, ~/work, ~/Desktop, ~/Documents and regex-matches file contents for EVM private keys, Solana key arrays, BIP-39 mnemonics, Hardhat mnemonics, AWS secrets, API_SECRET/ACCESS_TOKEN values, and npm/GitHub/PyPI tokens; matches are written into 'dev-secrets-scrape.txt'. gatherShellHistory() reads.bash_history,.zsh_history, fish history, and PowerShell PSReadLine ConsoleHost_history.txt and shells out via execSync('bash -c history') and execSync("zsh -c 'fc -l -1000'"). gatherClipboardSnapshots() invokes PowerShell Get-Clipboard, pbpaste, wl-paste, and xclip to capture clipboard contents. index.js also base64-decodes '8.8.8.8:80' and opens a UDP socket to learn the outbound interface IP for victim fingerprinting. upload.js multipart-POSTs the collected files, username, and platform metadata to a hardcoded endpoint at https://trabalhos-flax.vercel.app/api/v1 (DEFAULT_API_BASE). Several destination and pattern strings are base64-encoded at the entrypoint to obscure intent.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for awesome-ts-jest (npm). Pin to a known-safe version or switch to an alternative.