MAL-2026-6567

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (5fc51e200a141d1dbbb4f7eb9e5e3dec18507572e5dc9562278713c554fad195) The package is published under the name `eslint-commit-parser` but its contents are a verbatim copy of the `supertest` HTTP-testing library — `package.json` carries supertest's description ("SuperAgent driven library for testing HTTP servers") and repository URL (https://github.com/ladjs/supertest.git), and the shipped source is supertest's. A developer who installs `eslint-commit-parser` expecting an ESLint commit parser receives unrelated code. `package.json` additionally declares a runtime dependency on `express-mocha-test@^0.0.1`, but no file in the tarball requires or imports that module — its only effect on the installer is to be resolved and installed alongside the carrier. The combination of a deceptive package name, contents that have no relation to the advertised identity, and an unused low-version unfamiliar transitive is the standard namespace-abuse / dependency-confusion carrier shape: the host package is hollow with respect to its declared identity and its purpose on install is to drag `express-mocha-test` onto the installer's machine.

## Source: ossf-package-analysis (8631c673a2ca9fdebee382762a69c849485f6e2aa3c749173dea8d0f0f6e090b) The OpenSSF Package Analysis project identified 'eslint-commit-parser' @ 1.0.0 (npm) as malicious.

It is considered malicious because:

- The package communicates with a domain associated with malicious activity.