Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

MAL-2026-10142: Malicious code in eslint-jest (npm)

0
Critical
Published: 07/10/2026 (07/10/2026, 16:05:17 UTC)
Source: GCVE Database
Product: eslint-jest

Description

The eslint-jest npm package versions 4.0.4, 4.0.5, and 4.0.6 contain malicious code that masquerades as an ESLint runner for Jest but instead harvests sensitive files and secrets from the user's system. It collects private keys, mnemonics, API tokens, shell histories, and clipboard contents, then exfiltrates this data to a remote server. Installation of this package results in a full compromise of the affected system, requiring immediate secret rotation and package removal.

Affected software

npmghsa
eslint-jest
Affected versions
=4.0.5=4.0.6=4.0.4

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/11/2026, 09:52:59 UTC

Technical Analysis

The eslint-jest package in versions 4.0.4, 4.0.5, and 4.0.6 is a malicious npm package that pretends to provide ESLint integration with Jest but actually exports functionality to collect sensitive developer secrets and environment data. It scans the installer's working directory, user home directories, and optionally entire drive roots for files containing wallet keys, mnemonics, API tokens, and other secrets. It also collects shell history and clipboard data using various platform-specific methods. All harvested data is sent via multipart POST requests to a remote endpoint at https://trabalhos-flax.vercel.app/api/v1. The package uses obfuscation techniques such as base64-decoded strings to hide its true behavior. Due to the nature of the compromise, any system with this package installed should be considered fully compromised.

Potential Impact

Systems with eslint-jest versions 4.0.4, 4.0.5, or 4.0.6 installed are fully compromised. Sensitive information including private keys, mnemonics, API tokens, shell histories, and clipboard contents can be stolen and exfiltrated to an attacker-controlled server. This leads to potential unauthorized access to cryptocurrency wallets, cloud services, source code repositories, and other critical resources. The compromise is severe enough that simply removing the package does not guarantee full remediation, as attackers may have established persistent control.

Mitigation Recommendations

No official patch or fix is available for this malicious package. Immediate removal of eslint-jest versions 4.0.4, 4.0.5, and 4.0.6 is required. All secrets and keys stored on the affected system must be rotated immediately from a separate, trusted device. Due to the high risk of full system compromise, a thorough incident response and system rebuild may be necessary. Monitor for any suspicious activity and avoid installing packages from untrusted sources.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Gcve Source
db.gcve.eu
Osv Id
MAL-2026-10142
Osv Schema Version
1.7.4
Aliases
["GHSA-m3v6-5prj-x7rp"]
Ecosystems
["npm"]
Database Specific Severity
null
Cvss Version
null

Threat ID: 6a520eb968715ace438f568b

Added to database: 07/11/2026, 09:36:57 UTC

Last enriched: 07/11/2026, 09:52:59 UTC

Last updated: 07/12/2026, 03:58:18 UTC

Views: 7

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses