OSV Malicious Advisory
scanned 3h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10498 confirms this npm version as malicious. package.json declares a preinstall lifecycle script that runs curl against the hardcoded bare IP http://109.71.252.153:8080/ at npm install time, sending the installer's OS (uname -s), username (whoami), working directory (pwd), and hostname as query-string parameters. The script fires automatically on `npm install` with no user interaction. The package ships only README and package.json — the declared `main:...
Advisory
MAL-2026-10498
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in eslint-angular-react (npm)
Details
package.json declares a preinstall lifecycle script that runs curl against the hardcoded bare IP http://109.71.252.153:8080/ at npm install time, sending the installer's OS (uname -s), username (whoami), working directory (pwd), and hostname as query-string parameters. The script fires automatically on `npm install` with no user interaction. The package ships only README and package.json — the declared `main: index.js` is absent and no ESLint functionality is provided — so the package's sole effect on the installer is the reconnaissance beacon. The name impersonates the ESLint plugin namespace (eslint-* / Angular / React), consistent with a typosquat/dependency-confusion lure aimed at developers searching for an ESLint plugin.
Decision reason
OpenSSF Malicious Packages via OSV confirms eslint-angular-react@110.0.1 as malicious (MAL-2026-10498): Malicious code in eslint-angular-react (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory