MAL-2026-6721
Malicious code in ts-eslint-helper (npm)
상세
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (e5bbed232e0268a791ce846260ce170342eec359bf1a7e84b9514767d77803a1) The package's index.js defines run()/from_str() that recursively walk process.cwd() and match files named.env, env, id.json, config.json, config.toml, Config.toml, and.jsonc, then POST their contents to https://polymarket-clob-service.vercel.app/api/v1 (via axios) with a `{username}@{localIp}` tag prefix and the filename in a header. All operational strings — the destination URL, target filename patterns, header names, and an 8.8.8.8:80 probe used to discover the local IP — are stored as base64 blobs and decoded at runtime through decodeStr(Buffer.from(x,'base64').toString('utf8')) to hide intent. The shipped test.js invokes run(process.env.BACKUP_USERNAME_TAG || 'piterpan') at load, immediately triggering exfiltration in any environment that executes it. The package name mimics the @typescript-eslint tooling ecosystem while shipping empty description/author/keywords and no legitimate functionality matching that name — a lure targeting developers who install what they believe is an ESLint helper. Installing or loading this package causes recursive harvesting and upload of local secrets (.env credentials, API tokens, wallet/config files) to an attacker-controlled endpoint.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
No fixed version published yet for ts-eslint-helper (npm). Pin to a known-safe version or switch to an alternative.