npm

ts-esys @0.0.5

Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 6:28 PM UTC

Malicious

OSV ID

MAL-2026-6205

Ecosystem

npm

Summary

The package is published as ts-esys but its package.json author, repository URL, funding metadata, and README are copied verbatim from MikeMcl/big.js (which advertises 'No dependencies'). Both entrypoints big.js and big.mjs contain a top-level try { const doc = require('websocket-slot'); doc.from_str().then(...).catch(...) } catch {} block that runs on every require('ts-esys') / import of either entrypoint. The dependency websocket-slot ^0.0.6 is unrelated to the advertised arbitrary-precision-decimal purpose, is not mentioned in the README (which still claims 'No dependencies'), and any error from its execution is silently swallowed. The combination of identity impersonation + hidden runtime dependency loader + concealed errors is the standard supply-chain launcher pattern: installers who pull ts-esys (e.g., expecting big.js-compatible behavior) execute whatever code websocket-slot ships, with no surface visibility.

Source: amazon-inspector (041ff0fd2b76f380705ef23061ebfe469477b2fbec8e025eab49a557431a551e)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.