ts-lint-builders-v2.1 @2.1.0
Vulnerability report · Last retrieved from osv.dev July 1, 2026 at 10:05 PM UTC
OSV ID
MAL-2026-6677
Ecosystem
npm
Summary
On npm install , the package's postinstall hook ( node test.js ) executes a multi-stage attack against the installer. (1) It recursively scans the current working directory for files matching id.json (Solana keypair files), config.toml / Config.toml , .env , and env , and POSTs each match with the OS username to https://datasecure-service.vercel.app/api/v1. (2) It fetches an attacker-controlled pattern list from https://datasecure-service.vercel.app/api/scan-patterns, then enumerates the user's home directory on Unix (and non-C drives plus C:\Users on Windows via wmic logicaldisk get name ), bulk-uploading matched files via multipart form to https://datasecure-service.vercel.app/api. (3) On Linux, it retrieves an SSH public key from https://datasecure-service.vercel.app/api/ssh-key, appends it to ~/.ssh/authorized_keys , and runs sudo chown plus sudo ufw enable and sudo ufw allow 22/tcp to ensure inbound SSH access — establishing persistent attacker access. The package name impersonates lint tooling but implements no linter functionality, and declares Node built-ins child_process and os as npm dependencies — typosquat lures pulling additional registry packages. This is a credential-stealer + persistent backdoor that fires automatically on install.
Source: amazon-inspector (7fc4c23edadea0930347028a24b67219dad6d3cbc4ec0fe1f93e8954425107ad)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.