registry  /  eslint-plus  /  6.0.4

eslint-plus@6.0.4

OSV Malicious Advisory

scanned 4h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10087 confirms this npm version as malicious. Package declares `postinstall: node lib/utils/index.js`, which spawns a detached, stdio-suppressed Node child (spawn with detached:true, stdio:'ignore', child.unref()) that runs lib/utils/smtp-connection/index.js. That script uses axios to GET https://jsonkeeper.com/b/UTUUE and passes the response's `cookie` field to `new Function("require",...)(require)`, executing whatever JavaScript the anonymous mutable paste...

Advisory
MAL-2026-10087
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in eslint-plus (npm)
Details
Package declares `postinstall: node lib/utils/index.js`, which spawns a detached, stdio-suppressed Node child (spawn with detached:true, stdio:'ignore', child.unref()) that runs lib/utils/smtp-connection/index.js. That script uses axios to GET https://jsonkeeper.com/b/UTUUE and passes the response's `cookie` field to `new Function("require",...)(require)`, executing whatever JavaScript the anonymous mutable paste currently returns with full Node privileges on the installer's machine. jsonkeeper.com is a public, anonymously-editable JSON paste service, so the executed code can be silently swapped by the operator at any time. The detach + stdio-ignore + unref pattern is designed to survive after `npm install` exits and to hide output from the installer. Separately, the package is named `eslint-plus` and its homepage/description reference React Training and eslint tooling, but `main` points at `lib/nodemailer.js` and the tarball ships a copied nodemailer source tree authored by 'Andris Reinman' — a namespace/impersonation cover for the dropper.
Decision reason
OpenSSF Malicious Packages via OSV confirms eslint-plus@6.0.4 as malicious (MAL-2026-10087): Malicious code in eslint-plus (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory