ts-eslint-jest @1.0.0
Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 6:28 PM UTC
OSV ID
MAL-2026-10076
Ecosystem
npm
Summary
The package ts-eslint-jest@1.0.0 presents as a TypeScript/ESLint/Jest helper but ships lib/collect.js, which imports child_process and invokes execSync('bash...') at line 205 and execSync('zsh...') at line 221. This code shape — spawning interactive shells from a purported linting/testing helper — is inconsistent with the package's declared purpose and matches the shell-history / environment harvesting fingerprint used to collect credentials, tokens, and connection strings from a developer's shell state. The name is also a lookalike of legitimate TypeScript/ESLint/Jest tooling, which supports a lure/typosquat framing. Automated tracing of collect.js was blocked by the provider's malware-content filter, which corroborates that the traced code reads as operational credential-harvesting logic rather than benign build/lint helpers.
Source: amazon-inspector (8e1ffed26d2d64bf9076210504de22b87e27a065821dedbc708fb05f7c47db74)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.