OSV ID
MAL-2026-6468
Ecosystem
npm
Summary
ts-opus 0.0.8 ships an unmodified copy of MikeMcl/big.js (README, copyright, and repository URL all reference big.js) but injects an additional top-level block inside both big.js and big.mjs that calls require('node-slot') and invokes doc.from_str() , with both the synchronous error and the returned promise's rejection silently swallowed ( try {....then(e=>{}).catch(e=>{}) } catch(error){} ). The required module name node-slot is not declared in package.json — the declared dependency is the differently-named ref-slot — so the code intentionally loads an externally-resolved package whose contents are not controlled by this tarball. Any consumer who require('ts-opus') or imports big.mjs triggers loading and executing whatever node-slot resolves to at install time, with failures hidden from the user. The combination of (a) a cover-story package presenting itself as big.js, (b) require-time execution of an undeclared external module, and (c) silenced error handling to hide payload failures is a targeted supply-chain attack against consumers who believe they are pulling in big.js.
Source: amazon-inspector (73b0105b34723dd6e1449c3353d1d4df0dcf94ae460a4dfd156566bb4ba372c7)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.