Packages es6-map and es6-set have malware

[goldim]

The dependencies es6-map and es6-set have dependency es5-ext which is spotted as JS.Siggen5 by antiviruses. There is a script which has more than just advertisement. All these packages from one author who is responsible for it. Is there opportunity to get rid of them and replace to something else? Looking through the code of analyzer I noticed that these two libraries es6-map and es6-set are used to support es5 environment but how it is actual for nowadays?

[leumasme]

It seems that the "malware" is this postinstall script which just logs a message in russian about the war if the system timezone is set to one of 28.
// Broadcasts "Call for peace" message when package is installed in Russia, otherwise no-op

There is a script which has more than just advertisement.

Hardly so.

This is not great but not harmful so I'd consider this package still safe to use, only problem being that Antivirus programs are removing the file as they deem it malicious (??). Considering scope-analyzer likely wont get updated any time soon, you should likely overwrite the loaded es5-ext version in your package.json if the false antivirus flags are a problem for you.