{"id":"MAL-2026-5470","summary":"Malicious code in getd-typescript-eslint-rules (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (caed4b0db34232c4ef920817b6087cee9ac0610ec4ec2e49edbb5f167342f42f)\nOn `npm install`, the postinstall.js script collects the installer's hostname, OS username, platform, current working directory, CI environment markers (CI, BUILD_BUILDID, AGENT_NAME), and package name/version, then sends them as query parameters in an HTTPS GET to a hardcoded webhook.site collector (https://webhook.site/18dc4281-d366-438a-9186-76fbcd56ade5). Errors are swallowed so the install does not fail visibly. The package's own metadata declares it a typosquat targeting `@getd/typescript-eslint-rules` and frames the beacon as 'defensive security research,' but the on-install behavior identifies any installer (including internal CI build agents) to a third-party endpoint regardless of stated intent.\n","modified":"2026-06-09T21:01:41.954394904Z","published":"2026-06-09T20:29:31Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-06-09T20:45:54.671452791Z","id":"IN-MAL-2026-005211","versions":["0.0.1"],"source":"amazon-inspector","modified_time":"2026-06-09T20:29:31Z","sha256":"caed4b0db34232c4ef920817b6087cee9ac0610ec4ec2e49edbb5f167342f42f"},{"modified_time":"2026-06-09T20:29:32Z","source":"amazon-inspector","versions":["0.0.1"],"import_time":"2026-06-09T20:45:54.843400782Z","id":"IN-MAL-2026-005212","sha256":"fbc75f9b06e69a7a9abfece2eb3d4f9c8b3c5f46e927b94c0037781e4aace47b"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/getd-typescript-eslint-rules/v/0.0.1"}],"affected":[{"package":{"name":"getd-typescript-eslint-rules","ecosystem":"npm","purl":"pkg:npm/getd-typescript-eslint-rules"},"versions":["0.0.1"],"database_specific":{"cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}],"indicators":{"package_integrity":[{"filename":"getd-typescript-eslint-rules-0.0.1.tgz","hashes":{"sha1":"9c5cb575acff617499aef6961c34effd504d6eba","sha512_sri":"sha512-UFT4/MjM3UCELq/U9EGJX+dBxsrlIUFiYBtuK8v+xFVpZS6l1txZY3fqsBqHw/pV1XcpkYc9h6ZozFyxBDXd0A=="}}],"evidence_files":[{"tlsh":"062107b553f185201ee107c071bb140bba7bf1147697db90719d7341abf2539970356e","path":"postinstall.js","sha256":"4c012ed0db2ff88d1a8ce244a70fad334cb37a266e557b37538e7f9580f0f164"},{"tlsh":"4d01f42a76264a3329c01a6c5d32a80a3d128e5751167d1e27e7070143dfd7fc5ff31a","path":"package.json","sha256":"88332683aee21615bec23e1f88f4a3cf68cf3365428cd0260b101d073403fa29"}],"domains":["webhook.site"]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/getd-typescript-eslint-rules/MAL-2026-5470.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}