ts-biginteger-lib @5.0.5
Vulnerability report · Last retrieved from osv.dev June 24, 2026 at 6:36 AM UTC
OSV ID
MAL-2026-6316
Ecosystem
npm
Summary
Package is published as 'ts-biginteger-lib' but its metadata, README, and source are a wholesale copy of big.js by MikeMcl (author set to 'Michael Mclaughlin <M8ch88l@gmail.com>', repository pointing at MikeMcl/big.js, README unchanged). Inserted into the otherwise-verbatim big.js source at big.js:605-609 is a try/catch that, at module load time, calls require("ts-lint-builders") and invokes doc.from_str().then(...).catch(...) . package.json additionally declares "ts-linter-builders": "latest" as a runtime dependency. The legitimate big.js declares no runtime dependencies; these injected loads execute arbitrary code from separately-published, attacker-controlled packages every time a consumer require() s or import s ts-biginteger-lib. The unpinned latest specifier lets the publisher rotate the payload at any time without modifying this package. The combination of brand impersonation (to attract installers searching for a TypeScript big-integer library) and require-time execution of an external, version-floating dependency is a supply-chain dropper.
Source: amazon-inspector (b8059a1d2db2edb7231b017023f82f6a651585c0ee7120aaebe882cb6407b9e3)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.