MAL-2026-6567: Malicious code in eslint-commit-parser (npm)
The npm package 'eslint-commit-parser' version 1.0.0 is identified as malicious. It is a deceptive package that contains unrelated code copied verbatim from the 'supertest' HTTP-testing library, misleading users expecting an ESLint commit parser. Additionally, it declares a runtime dependency on an unfamiliar low-version package 'express-mocha-test' which is installed alongside but not used by the package. The package also communicates with a domain associated with malicious activity, indicating potential malicious intent.
AI Analysis
Technical Summary
The 'eslint-commit-parser' npm package at version 1.0.0 is a malicious package that abuses namespace and dependency confusion techniques. Its contents are a direct copy of the 'supertest' library, unrelated to its advertised purpose. The package.json misleads users by carrying supertest's description and repository URL. It also declares a runtime dependency on 'express-mocha-test@^0.0.1', which is not imported or required by any file in the package, serving only to install this additional package on the user's system. The package has been flagged by OpenSSF Package Analysis and Amazon Inspector as malicious due to its deceptive nature and communication with a domain linked to malicious activity.
Potential Impact
Users installing 'eslint-commit-parser' version 1.0.0 expecting an ESLint commit parser will instead receive unrelated code and have an additional suspicious dependency installed on their system. The package's communication with a malicious domain poses a risk of further malicious activity, such as data exfiltration or command and control, although specific exploitation details are not provided.
Mitigation Recommendations
No official patch or remediation is available for this package. The best mitigation is to avoid installing 'eslint-commit-parser' version 1.0.0 and remove it if already installed. Users should verify package authenticity before installation and prefer well-known, trusted packages. Monitor vendor advisories or npm security advisories for any updates regarding this package.
MAL-2026-6567: Malicious code in eslint-commit-parser (npm)
Description
The npm package 'eslint-commit-parser' version 1.0.0 is identified as malicious. It is a deceptive package that contains unrelated code copied verbatim from the 'supertest' HTTP-testing library, misleading users expecting an ESLint commit parser. Additionally, it declares a runtime dependency on an unfamiliar low-version package 'express-mocha-test' which is installed alongside but not used by the package. The package also communicates with a domain associated with malicious activity, indicating potential malicious intent.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The 'eslint-commit-parser' npm package at version 1.0.0 is a malicious package that abuses namespace and dependency confusion techniques. Its contents are a direct copy of the 'supertest' library, unrelated to its advertised purpose. The package.json misleads users by carrying supertest's description and repository URL. It also declares a runtime dependency on 'express-mocha-test@^0.0.1', which is not imported or required by any file in the package, serving only to install this additional package on the user's system. The package has been flagged by OpenSSF Package Analysis and Amazon Inspector as malicious due to its deceptive nature and communication with a domain linked to malicious activity.
Potential Impact
Users installing 'eslint-commit-parser' version 1.0.0 expecting an ESLint commit parser will instead receive unrelated code and have an additional suspicious dependency installed on their system. The package's communication with a malicious domain poses a risk of further malicious activity, such as data exfiltration or command and control, although specific exploitation details are not provided.
Mitigation Recommendations
No official patch or remediation is available for this package. The best mitigation is to avoid installing 'eslint-commit-parser' version 1.0.0 and remove it if already installed. Users should verify package authenticity before installation and prefer well-known, trusted packages. Monitor vendor advisories or npm security advisories for any updates regarding this package.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- MAL-2026-6567
- Osv Schema Version
- 1.7.4
- Aliases
- []
- Ecosystems
- ["npm"]
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a42ed6d27e9c79719938e9a
Added to database: 06/29/2026, 22:10:53 UTC
Last enriched: 06/29/2026, 22:36:21 UTC
Last updated: 06/30/2026, 01:45:02 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.