Supply-chain threat intelligence

Incident detail

criticalnpm·credential theft·osv

Malicious code in ts-eslint-helper (npm)

ts-eslint-helper

Risk score

92

AI summary

Indexed incident for ts-eslint-helper (npm).

Description

The package's index.js defines run()/from_str() that recursively walk process.cwd() and match files named.env, env, id.json, config.json, config.toml, Config.toml, and.jsonc, then POST their contents to https://polymarket-clob-service.vercel.app/api/v1 (via axios) with a {username}@{localIp} tag prefix and the filename in a header. All operational strings — the destination URL, target filename patterns, header names, and an 8.8.8.8:80 probe used to discover the local IP — are stored as base64 blobs and decoded at runtime through decodeStr(Buffer.from(x,'base64').toString('utf8')) to hide intent. The shipped test.js invokes run(process.env.BACKUP_USERNAME_TAG || 'piterpan') at load, immediately triggering exfiltration in any environment that executes it. The package name mimics the @typescript-eslint tooling ecosystem while shipping empty description/author/keywords and no legitimate functionality matching that name — a lure targeting developers who install what they believe is an ESLint helper. Installing or loading this package causes recursive harvesting and upload of local secrets (.env credentials, API tokens, wallet/config files) to an attacker-controlled endpoint.

Technical details

Affected versions

=4.0.5=4.0.4=4.0.3

Indicators

  • affected version=4.0.575%
  • affected version=4.0.475%
  • affected version=4.0.375%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents