Which versions of ts-linter-builders are malicious?

The following npm versions of ts-linter-builders are flagged malicious: 1.0.4. Treat any of these as compromised.

How do I remediate ts-linter-builders if I installed it?

Remove ts-linter-builders from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is ts-linter-builders part of a known attack campaign?

Yes — ts-linter-builders is associated with the IN-MAL-2026-007045 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect ts-linter-builders in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking ts-linter-builders and packages like it before any post-install script runs.

Malicious package

ts-linter-buildersnpm

Malicious code in ts-linter-builders (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-6195

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall ts-linter-builders

What this malware does

index.js imports child_process and contains a hardcoded outbound POST to https://tg-wallet-manager.vercel.app, with additional fetch() calls to the same destination. The code reads environment data and host identifiers and ships them to this attacker-controlled endpoint. The package name advertises a TypeScript linter helper, but the embedded behavior is unrelated to linting and matches the shape of a credential/host-info beacon. The hardcoded third-party Vercel-hosted endpoint, combined with environment reads and child_process import, constitutes an installer-side exfiltration / RCE staging surface with no legitimate purpose for a 'linter builder' package.

Malicious versions

1 flagged

1.0.4

Indicators of compromise (SHA-256)

a22153f1e71ba9fb51ce22d5fc57180ce4d8998995fbc4bd554d6dd532c195b6

Frequently asked questions

No. ts-linter-builders on npm has been identified as a malicious package (version 1.0.4 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-007045

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection