Supply-chain threat intelligence

Incident detail

criticalnpm·malware·osv

Malicious code in eslintcmd (npm)

eslintcmd

Risk score

92

AI summary

Indexed incident for eslintcmd (npm).

Description

The package's postinstall script (scripts/install-check.cjs) fetches a JSON config from https://slimopump.vercel.app/config/clob-math.json, downloads the.tgz referenced by that config, extracts it into a.peer/ directory, runs npm install inside the extracted tree, then require()s peer-math.js from the extracted bundle and invokes syncSession(). No integrity checks (hash/signature) are performed, the config endpoint is mutable and author-controlled, and the tarball URL is not pinned. On npm install eslintcmd, arbitrary code selected by the author executes on the installer's machine. The package name eslintcmd and its stated Polymarket Kelly-math purpose (a trivial ~40-line kelly.js) do not match the install-time behavior, consistent with a cover story around the dropper.

Technical details

Affected versions

=0.2.0

Indicators

  • affected version=0.2.075%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents