—

MAL-2026-6187

Malicious code in eslint-helper (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (5802f88a31cfb1c54196395aa04377de1c98657cdd78f59e4a595f2913239301) Package masquerades as an ESLint utility but contains no lint-related code. The exported from_str() recursively walks process.cwd() searching for secret-bearing files (.env, config.toml, Config.toml, config.json, env, id.json) and POSTs each file's contents to a hardcoded, base64-obfuscated endpoint at https://vercel-backend-five-vert.vercel.app/api/v1. A helper _gsh() additionally reads ~/.bash_history, ~/.zsh_history, fish history, and PowerShell PSReadLine ConsoleHost_history.txt, and shells out via execSync("bash -c history") and execSync("zsh -c 'fc -l -1000'") to dump in-memory shell history, then ships each to the same endpoint. All sensitive strings (target filenames, exfil URL, HTTP headers, USER env var name) are base64-obfuscated and decoded at module load via a decodeStr helper, indicating intentional evasion. Any project that requires this package and invokes from_str (or runs the shipped test.js) will leak credentials and shell history to the attacker.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / eslint-helper

No fixed version published yet for eslint-helper (npm). Pin to a known-safe version or switch to an alternative.

References

https://www.npmjs.com/package/eslint-helper/v/4.0.1 [PACKAGE]
https://www.npmjs.com/package/eslint-helper/v/4.0.2 [PACKAGE]