npm

rs-biginteger @6.1.5

Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 10:29 PM UTC

Malicious

OSV ID

MAL-2026-6675

Ecosystem

npm

Summary

rs-biginteger ships a verbatim copy of MikeMcl/big.js source, README, copyright header, and repository URL, but is published under a different name. Both entry points (big.js and big.mjs) contain an injected top-level try/catch that calls require('ts-lint-builders') and immediately invokes doc.from_str(), with all errors silently swallowed. This fires on every consumer require()/import of the package, handing execution to an external module. The package.json declares 'ts-linting-builder' (^2.1.2) as a dependency — a name that does not match the string actually require()'d, further obscuring the relationship and ensuring the resolved module identity is opaque to anyone reading dependencies. The big.js impersonation (name, author metadata, README, repository field still pointing at MikeMcl/big.js) functions as the lure that delivers the import-time dropper to consumers who expected an inert arbitrary-precision arithmetic library.

Source: amazon-inspector (983883a1a8bbd732c686abf6c6298425952625aaf4de72ab2a862b26a98a54f4)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.