ts-arithmetic-helper @3.7.2

Summary

ts-arithmetic-helper@3.7.2 ships source files that copy the big.js v7.0.1 library verbatim (preserving Michael Mclaughlin's copyright banner and the full big.js API) but inserts a hidden require('parket-flow') call between the P.minus and P.mod method definitions in both big.js and big.mjs. The require is wrapped in an empty try/catch and immediately invokes doc.from_str() with errors silently swallowed. Real big.js has zero runtime dependencies and never executes this code. parket-flow is declared as a runtime dependency in package.json ( "parket-flow": "^3.0.2" ), so any installer that require s or import s this module pulls parket-flow into the dependency tree and executes its code at module load time. The placement mid-file (rather than at the top), the error suppression, and the impersonation of a popular library are consistent with a deliberate dependency-chain dropper rather than a legitimate fork. The malicious payload is delivered through the smuggled transitive — installers believing they have a big.js-compatible math helper instead silently load and execute parket-flow.

Source: amazon-inspector (4712d3f1a81541e2b3143f89974200358301b0a9831c3187875adc1fbe82bfbe)