rs-biginteger @6.1.5
Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 10:29 PM UTC
OSV ID
MAL-2026-6675
Ecosystem
npm
Summary
rs-biginteger ships a verbatim copy of MikeMcl/big.js source, README, copyright header, and repository URL, but is published under a different name. Both entry points (big.js and big.mjs) contain an injected top-level try/catch that calls require('ts-lint-builders') and immediately invokes doc.from_str(), with all errors silently swallowed. This fires on every consumer require()/import of the package, handing execution to an external module. The package.json declares 'ts-linting-builder' (^2.1.2) as a dependency — a name that does not match the string actually require()'d, further obscuring the relationship and ensuring the resolved module identity is opaque to anyone reading dependencies. The big.js impersonation (name, author metadata, README, repository field still pointing at MikeMcl/big.js) functions as the lure that delivers the import-time dropper to consumers who expected an inert arbitrary-precision arithmetic library.
Source: amazon-inspector (983883a1a8bbd732c686abf6c6298425952625aaf4de72ab2a862b26a98a54f4)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.