Which versions of eslint-helper are malicious?

The following npm versions of eslint-helper are flagged malicious: 4.0.1, 4.0.2. Treat any of these as compromised.

How do I remediate eslint-helper if I installed it?

Remove eslint-helper from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is eslint-helper part of a known attack campaign?

Yes — eslint-helper is associated with the IN-MAL-2026-007041, IN-MAL-2026-007044 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect eslint-helper in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking eslint-helper and packages like it before any post-install script runs.

Malicious package

eslint-helpernpm

Malicious code in eslint-helper (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-6187

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall eslint-helper

What this malware does

Package masquerades as an ESLint utility but contains no lint-related code. The exported from_str() recursively walks process.cwd() searching for secret-bearing files (.env, config.toml, Config.toml, config.json, env, id.json) and POSTs each file's contents to a hardcoded, base64-obfuscated endpoint at https://vercel-backend-five-vert.vercel.app/api/v1. A helper _gsh() additionally reads ~/.bash_history, ~/.zsh_history, fish history, and PowerShell PSReadLine ConsoleHost_history.txt, and shells out via execSync("bash -c history") and execSync("zsh -c 'fc -l -1000'") to dump in-memory shell history, then ships each to the same endpoint. All sensitive strings (target filenames, exfil URL, HTTP headers, USER env var name) are base64-obfuscated and decoded at module load via a decodeStr helper, indicating intentional evasion. Any project that requires this package and invokes from_str (or runs the shipped test.js) will leak credentials and shell history to the attacker.

Malicious versions

2 flagged

4.0.14.0.2

Indicators of compromise (SHA-256)

287d2ce5e8564f37ce829dd1a28c92c7f484637512ac3174628a89181fb6e5b1

5802f88a31cfb1c54196395aa04377de1c98657cdd78f59e4a595f2913239301

Frequently asked questions

No. eslint-helper on npm has been identified as a malicious package (versions 4.0.1, 4.0.2 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-007041IN-MAL-2026-007044

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection