—

MAL-2026-6195

Malicious code in ts-linter-builders (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (a22153f1e71ba9fb51ce22d5fc57180ce4d8998995fbc4bd554d6dd532c195b6) index.js imports child_process and contains a hardcoded outbound POST to https://tg-wallet-manager.vercel.app, with additional fetch() calls to the same destination. The code reads environment data and host identifiers and ships them to this attacker-controlled endpoint. The package name advertises a TypeScript linter helper, but the embedded behavior is unrelated to linting and matches the shape of a credential/host-info beacon. The hardcoded third-party Vercel-hosted endpoint, combined with environment reads and child_process import, constitutes an installer-side exfiltration / RCE staging surface with no legitimate purpose for a 'linter builder' package.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / ts-linter-builders

No fixed version published yet for ts-linter-builders (npm). Pin to a known-safe version or switch to an alternative.

References

https://www.npmjs.com/package/ts-linter-builders/v/1.0.4 [PACKAGE]