OSV ID
MAL-2026-6342
Ecosystem
npm
Summary
The package's name 'therdweb' is a one-character variation of the popular 'thirdweb' SDK, while its contents (README, source code, author field 'Michael Mclaughlin', repository URL pointing at MikeMcl/big.js, version banner '7.0.1') are copied verbatim from the unrelated big.js library — the publisher is not the original author of either project. Both shipped entrypoints, big.js and big.mjs, contain an injected try/catch block that performs require("parket-slot") and immediately invokes doc.from_str() on it at module load, with the catch block left empty to swallow errors. parket-slot is not listed in package.json dependencies and is not mentioned in the README (which falsely claims 'No dependencies'); package.json additionally declares an undocumented dependency log-taker@^0.0.9 . Any consumer that imports or requires this package will execute code from these external, undeclared/hidden modules controlled by the same actor, while the README hides their existence. This is the loader half of a multi-package install-graph dropper paired with name-confusion against thirdweb and identity impersonation of big.js.
Source: amazon-inspector (d9e63765322daedaf6d802d322402a1837d3ec653ecf47909d243e5c87398117)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.