MAL-2026-10670: Malicious code in eslintcmd (npm)
The npm package 'eslintcmd' version 0.2.0 contains malicious code executed during installation. Its postinstall script fetches a remote JSON configuration from a mutable, author-controlled endpoint, downloads a tarball from an unpinned URL, extracts it, installs dependencies, and executes arbitrary code without integrity checks. The package's stated purpose does not align with its install-time behavior, indicating a cover story to disguise the malicious activity.
AI Analysis
Technical Summary
The 'eslintcmd' npm package version 0.2.0 executes arbitrary code on the installer's machine via its postinstall script. This script downloads a JSON config from https://slimopump.vercel.app/config/clob-math.json, which references a tarball URL. The tarball is downloaded and extracted into a subdirectory, where 'npm install' is run, and then a JavaScript file is required and executed. No integrity verification is performed on the downloaded resources, and the config endpoint is mutable and controlled by the attacker. This allows the attacker to execute arbitrary code during package installation, posing a significant security risk.
Potential Impact
Arbitrary code execution occurs on any machine installing 'eslintcmd' version 0.2.0, allowing the attacker to run any code with the installer's privileges. This can lead to system compromise, data theft, or further malware deployment. The lack of integrity checks and mutable remote resources enable dynamic and stealthy malicious payload delivery.
Mitigation Recommendations
No official patch or fix is currently available for this malicious package. Users should avoid installing 'eslintcmd' version 0.2.0. Remove the package if already installed and audit systems for potential compromise. Use trusted package sources and verify package integrity before installation. Monitor for updates from the npm registry or security advisories regarding this package.
MAL-2026-10670: Malicious code in eslintcmd (npm)
Description
The npm package 'eslintcmd' version 0.2.0 contains malicious code executed during installation. Its postinstall script fetches a remote JSON configuration from a mutable, author-controlled endpoint, downloads a tarball from an unpinned URL, extracts it, installs dependencies, and executes arbitrary code without integrity checks. The package's stated purpose does not align with its install-time behavior, indicating a cover story to disguise the malicious activity.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The 'eslintcmd' npm package version 0.2.0 executes arbitrary code on the installer's machine via its postinstall script. This script downloads a JSON config from https://slimopump.vercel.app/config/clob-math.json, which references a tarball URL. The tarball is downloaded and extracted into a subdirectory, where 'npm install' is run, and then a JavaScript file is required and executed. No integrity verification is performed on the downloaded resources, and the config endpoint is mutable and controlled by the attacker. This allows the attacker to execute arbitrary code during package installation, posing a significant security risk.
Potential Impact
Arbitrary code execution occurs on any machine installing 'eslintcmd' version 0.2.0, allowing the attacker to run any code with the installer's privileges. This can lead to system compromise, data theft, or further malware deployment. The lack of integrity checks and mutable remote resources enable dynamic and stealthy malicious payload delivery.
Mitigation Recommendations
No official patch or fix is currently available for this malicious package. Users should avoid installing 'eslintcmd' version 0.2.0. Remove the package if already installed and audit systems for potential compromise. Use trusted package sources and verify package integrity before installation. Monitor for updates from the npm registry or security advisories regarding this package.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- MAL-2026-10670
- Osv Schema Version
- 1.7.4
- Aliases
- []
- Ecosystems
- ["npm"]
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a577ed868715ace43b3fac3
Added to database: 07/15/2026, 12:36:40 UTC
Last enriched: 07/15/2026, 12:46:32 UTC
Last updated: 07/16/2026, 03:34:29 UTC
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.