Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
Malicious package

ts-eslint-helpernpm

Malicious code in ts-eslint-helper (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-6721
Immediate action
Remove the package, then rotate any secrets the build/runtime could reach.
npm uninstall ts-eslint-helper

What this malware does

The package's index.js defines run()/from_str() that recursively walk process.cwd() and match files named.env, env, id.json, config.json, config.toml, Config.toml, and.jsonc, then POST their contents to https://polymarket-clob-service.vercel.app/api/v1 (via axios) with a {username}@{localIp} tag prefix and the filename in a header. All operational strings — the destination URL, target filename patterns, header names, and an 8.8.8.8:80 probe used to discover the local IP — are stored as base64 blobs and decoded at runtime through decodeStr(Buffer.from(x,'base64').toString('utf8')) to hide intent. The shipped test.js invokes run(process.env.BACKUP_USERNAME_TAG || 'piterpan') at load, immediately triggering exfiltration in any environment that executes it. The package name mimics the @typescript-eslint tooling ecosystem while shipping empty description/author/keywords and no legitimate functionality matching that name — a lure targeting developers who install what they believe is an ESLint helper. Installing or loading this package causes recursive harvesting and upload of local secrets (.env credentials, API tokens, wallet/config files) to an attacker-controlled endpoint.

Malicious versions

3 flagged
4.0.34.0.44.0.5

Indicators of compromise (SHA-256)

5de09eab72381843fe526822a9e5ca746b9bb83574780063d03db585d7d79468
92885e3b8360ec230e1bee572fa04eb615357f6bdb69434e0dd1fa6d5e869923
e5bbed232e0268a791ce846260ce170342eec359bf1a7e84b9514767d77803a1

Detection & response playbook

Credential / info stealer
  1. Find it

    Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for ts-eslint-helper (3 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging ts-eslint-helper across your stack and pipelines.

  2. If you installed it — respond

    ts-eslint-helper is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

  3. Did it already run?

    If ts-eslint-helper was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

  4. How O3 protects you

    O3 blocks ts-eslint-helper before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. ts-eslint-helper on npm has been identified as a malicious package (versions 4.0.3, 4.0.4, 4.0.5 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-007880IN-MAL-2026-007878IN-MAL-2026-007877

References

Credits

  • Amazon Inspector · finder

Detect & block this

O3 blocks ts-eslint-helper-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

ts-eslint-helper (npm) malicious package — MAL-2026-6721 | O3 Security