npm

eslint-plus @6.0.5

Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 10:29 PM UTC

Malicious

OSV ID

MAL-2026-10087

Ecosystem

npm

Summary

Package declares postinstall: node lib/utils/index.js , which spawns a detached, stdio-suppressed Node child (spawn with detached:true, stdio:'ignore', child.unref()) that runs lib/utils/smtp-connection/index.js. That script uses axios to GET https://jsonkeeper.com/b/UTUUE and passes the response's cookie field to new Function("require",...)(require) , executing whatever JavaScript the anonymous mutable paste currently returns with full Node privileges on the installer's machine. jsonkeeper.com is a public, anonymously-editable JSON paste service, so the executed code can be silently swapped by the operator at any time. The detach + stdio-ignore + unref pattern is designed to survive after npm install exits and to hide output from the installer. Separately, the package is named eslint-plus and its homepage/description reference React Training and eslint tooling, but main points at lib/nodemailer.js and the tarball ships a copied nodemailer source tree authored by 'Andris Reinman' — a namespace/impersonation cover for the dropper.

Source: amazon-inspector (fbc3baf80e31e8027d7bb5b3fe5a873c5ff72d8344d39f8f01e191699a2310d7)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.