Which versions of eslint-helper-1 are malicious?

The following npm versions of eslint-helper-1 are flagged malicious: 5.0.4. Treat any of these as compromised.

How do I remediate eslint-helper-1 if I installed it?

Remove eslint-helper-1 from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is eslint-helper-1 part of a known attack campaign?

Yes — eslint-helper-1 is associated with the IN-MAL-2026-007043 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect eslint-helper-1 in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking eslint-helper-1 and packages like it before any post-install script runs.

Malicious package

eslint-helper-1npm

Malicious code in eslint-helper-1 (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-6188

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall eslint-helper-1

What this malware does

Package masquerades as an ESLint helper but contains code in index.js that decodes base64 blobs through Buffer.from(..., 'base64').toString() and pipes the resulting strings into execSync('bash...') and execSync('zsh...'). This is the canonical obfuscated-shell-dropper shape: hidden payload bytes are reconstituted at runtime and handed to a shell interpreter, giving the author arbitrary command execution on the installer's machine. The name (eslint-helper-1) and lack of any legitimate ESLint integration are consistent with a typosquat / brand-impersonation lure for a credential-stealing or remote-execution payload.

Malicious versions

1 flagged

5.0.4

Indicators of compromise (SHA-256)

cfadd6e70cf70ee03d7aae8bfcaa916d29073c5e09ca614bfcb4538c3efc1832

Frequently asked questions

No. eslint-helper-1 on npm has been identified as a malicious package (version 5.0.4 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-007043

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection