eslint-jest @4.0.6
Vulnerability report · Last retrieved from osv.dev July 10, 2026 at 10:34 PM UTC
OSV ID
MAL-2026-10142
Ecosystem
npm
Summary
The package presents itself as an ESLint-inside-Jest runner but the documented linkProject/lintFiles/createJestRunner API is not implemented. The actual exports are harvest-and-upload primitives. lib/collect.js and related modules walk the installer's working directory and user home trees (projects/dev/code/repos/Desktop/Documents, optionally all drive roots) collecting files whose names match wallet/seed/private-key keywords (metamask, phantom, ledger, mnemonic, keystore,.env,.pem,.p12, etc.). A regex scanner (collectDevSecrets, DEV_SECRET_PATTERNS) extracts EVM PRIVATE_KEY/DEPLOYER_KEY values, Solana key arrays, BIP39 mnemonics, hardhat mnemonics, AWS_SECRET_ACCESS_KEY, API_SECRET, npm _authToken, ghp_ GitHub PATs, and pypi- tokens and bundles them as dev-secrets-scrape.txt. gatherShellHistory reads.bash_history,.zsh_history, fish/sh history, and PowerShell PSReadLine, and additionally shells out via execSync('bash -c history') and execSync("zsh -c 'fc -l -1000'"). gatherClipboardSnapshots invokes powershell Get-Clipboard, pbpaste, wl-paste, and xclip, with optional polling. All collected artifacts are multipart-POSTed to https://trabalhos-flax.vercel.app/api/v1. Auxiliary code base64-decodes string constants (including 8.8.8.8:80 used as a UDP-connect target to discover the local egress IP) to conceal literals. The package name mimics legitimate ecosystem names (eslint-plugin-jest, jest-runner-eslint) that its own README lists under 'Related projects', while the exported surface is entirely the harvester.
Source: amazon-inspector (8908ac72050dded53e2e163c528a446b7a4fd7a37a4874e14f95b08265f043c4)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.