OSV Malicious Advisory
scanned 14h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10703 confirms this npm version as malicious. @across-toolkit/eslint-config@99.0.1 runs a postinstall.js script on npm install that harvests installer-side secrets and posts them to a hardcoded third-party endpoint. The script reads ~/.aws/credentials, ~/.aws/config, ~/.ssh/id_rsa, ~/.ssh/id_ed25519, ~/.npmrc, ~/.gitconfig, gcloud application-default credentials, /etc/environment, /proc/1/environ, and.env files; base64-encodes all of process.env (including...
Advisory
MAL-2026-10703
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in @across-toolkit/eslint-config (npm)
Details
@across-toolkit/eslint-config@99.0.1 runs a postinstall.js script on npm install that harvests installer-side secrets and posts them to a hardcoded third-party endpoint. The script reads ~/.aws/credentials, ~/.aws/config, ~/.ssh/id_rsa, ~/.ssh/id_ed25519, ~/.npmrc, ~/.gitconfig, gcloud application-default credentials, /etc/environment, /proc/1/environ, and.env files; base64-encodes all of process.env (including NPM_TOKEN, GITHUB_TOKEN, and Actions OIDC tokens); queries the GCP metadata service at metadata.google.internal for OAuth tokens, project, service-account email, and scopes; queries the AWS IMDS at 169.254.169.254 for iam/security-credentials and iam/info; and invokes gcloud auth print-access-token and shell reconnaissance (hostname, whoami). The collected payload is POSTed via https.request to https://webhook.site/a585f4ec-20f7-4bd1-bac7-f3e53799dc5f. The package name and 99.0.1 version are shaped for dependency-confusion against an Across Protocol internal namespace.
## Source: ossf-package-analysis (39b362e696810bfa8c5720ad97ba58d89920e87f909de311950b0939c731e7f7) The OpenSSF Package Analysis project identified '@across-toolkit/eslint-config' @ 99.0.1 (npm) as malicious.
It is considered malicious because:
- The package executes one or more commands associated with malicious behavior.
Decision reason
OpenSSF Malicious Packages via OSV confirms @across-toolkit/eslint-config@99.0.0 as malicious (MAL-2026-10703): Malicious code in @across-toolkit/eslint-config (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory