Which versions of eslint-plugin-mistica-local-rules are malicious?

The following npm versions of eslint-plugin-mistica-local-rules are flagged malicious: 19.12.11. Treat any of these as compromised.

How do I remediate eslint-plugin-mistica-local-rules if I installed it?

Remove eslint-plugin-mistica-local-rules from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is eslint-plugin-mistica-local-rules part of a known attack campaign?

Yes — eslint-plugin-mistica-local-rules is associated with the IN-MAL-2026-005836, IN-MAL-2026-005835 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect eslint-plugin-mistica-local-rules in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking eslint-plugin-mistica-local-rules and packages like it before any post-install script runs.

Malicious package

eslint-plugin-mistica-local-rulesnpm

Malicious code in eslint-plugin-mistica-local-rules (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5703

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall eslint-plugin-mistica-local-rules

What this malware does

package.json declares a preinstall hook that runs index.js automatically on npm install. index.js collects host identity (os.hostname(), os.platform(), os.arch(), os.userInfo() including uid/gid, shell, homedir, cwd) and the output of whoami and id via child_process, then POSTs the JSON payload to the hardcoded URL https://eucfugc8bk66haszliir75yd74dv1lpa.oastify.com/detox56 (a Burp Collaborator subdomain). The package ships no eslint rule implementation — its only effect on install is the recon/exfiltration beacon. The package name eslint-plugin-mistica-local-rules mimics the Telefónica Mistica design-system internal eslint-plugin namespace, consistent with a dependency-confusion attack against private-registry consumers.

Malicious versions

1 flagged

19.12.11

Indicators of compromise (SHA-256)

72d5fe15c6bf5a8084dd7cb92869cfe7d7c8a667581dd8ba8c0de403bcfeff57

c1d21f50741178986b63d1f330373131c2f3f502a5b94e76ca921ce185fab123

Frequently asked questions

No. eslint-plugin-mistica-local-rules on npm has been identified as a malicious package (version 19.12.11 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005836IN-MAL-2026-005835

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection