MAL-2026-10142: Malicious code in eslint-jest (npm)
The eslint-jest npm package versions 4.0.4, 4.0.5, and 4.0.6 contain malicious code that masquerades as an ESLint runner for Jest but instead harvests sensitive files and secrets from the user's system. It collects private keys, mnemonics, API tokens, shell histories, and clipboard contents, then exfiltrates this data to a remote server. Installation of this package results in a full compromise of the affected system, requiring immediate secret rotation and package removal.
AI Analysis
Technical Summary
The eslint-jest package in versions 4.0.4, 4.0.5, and 4.0.6 is a malicious npm package that pretends to provide ESLint integration with Jest but actually exports functionality to collect sensitive developer secrets and environment data. It scans the installer's working directory, user home directories, and optionally entire drive roots for files containing wallet keys, mnemonics, API tokens, and other secrets. It also collects shell history and clipboard data using various platform-specific methods. All harvested data is sent via multipart POST requests to a remote endpoint at https://trabalhos-flax.vercel.app/api/v1. The package uses obfuscation techniques such as base64-decoded strings to hide its true behavior. Due to the nature of the compromise, any system with this package installed should be considered fully compromised.
Potential Impact
Systems with eslint-jest versions 4.0.4, 4.0.5, or 4.0.6 installed are fully compromised. Sensitive information including private keys, mnemonics, API tokens, shell histories, and clipboard contents can be stolen and exfiltrated to an attacker-controlled server. This leads to potential unauthorized access to cryptocurrency wallets, cloud services, source code repositories, and other critical resources. The compromise is severe enough that simply removing the package does not guarantee full remediation, as attackers may have established persistent control.
Mitigation Recommendations
No official patch or fix is available for this malicious package. Immediate removal of eslint-jest versions 4.0.4, 4.0.5, and 4.0.6 is required. All secrets and keys stored on the affected system must be rotated immediately from a separate, trusted device. Due to the high risk of full system compromise, a thorough incident response and system rebuild may be necessary. Monitor for any suspicious activity and avoid installing packages from untrusted sources.
MAL-2026-10142: Malicious code in eslint-jest (npm)
Description
The eslint-jest npm package versions 4.0.4, 4.0.5, and 4.0.6 contain malicious code that masquerades as an ESLint runner for Jest but instead harvests sensitive files and secrets from the user's system. It collects private keys, mnemonics, API tokens, shell histories, and clipboard contents, then exfiltrates this data to a remote server. Installation of this package results in a full compromise of the affected system, requiring immediate secret rotation and package removal.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The eslint-jest package in versions 4.0.4, 4.0.5, and 4.0.6 is a malicious npm package that pretends to provide ESLint integration with Jest but actually exports functionality to collect sensitive developer secrets and environment data. It scans the installer's working directory, user home directories, and optionally entire drive roots for files containing wallet keys, mnemonics, API tokens, and other secrets. It also collects shell history and clipboard data using various platform-specific methods. All harvested data is sent via multipart POST requests to a remote endpoint at https://trabalhos-flax.vercel.app/api/v1. The package uses obfuscation techniques such as base64-decoded strings to hide its true behavior. Due to the nature of the compromise, any system with this package installed should be considered fully compromised.
Potential Impact
Systems with eslint-jest versions 4.0.4, 4.0.5, or 4.0.6 installed are fully compromised. Sensitive information including private keys, mnemonics, API tokens, shell histories, and clipboard contents can be stolen and exfiltrated to an attacker-controlled server. This leads to potential unauthorized access to cryptocurrency wallets, cloud services, source code repositories, and other critical resources. The compromise is severe enough that simply removing the package does not guarantee full remediation, as attackers may have established persistent control.
Mitigation Recommendations
No official patch or fix is available for this malicious package. Immediate removal of eslint-jest versions 4.0.4, 4.0.5, and 4.0.6 is required. All secrets and keys stored on the affected system must be rotated immediately from a separate, trusted device. Due to the high risk of full system compromise, a thorough incident response and system rebuild may be necessary. Monitor for any suspicious activity and avoid installing packages from untrusted sources.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- MAL-2026-10142
- Osv Schema Version
- 1.7.4
- Aliases
- ["GHSA-m3v6-5prj-x7rp"]
- Ecosystems
- ["npm"]
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a520eb968715ace438f568b
Added to database: 07/11/2026, 09:36:57 UTC
Last enriched: 07/11/2026, 09:52:59 UTC
Last updated: 07/12/2026, 03:58:18 UTC
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.