OSV ID
MAL-2026-6278
Ecosystem
npm
Summary
Package is published under the name ts-wross but its package.json claims authorship by Michael Mclaughlin (M8ch88l@gmail.com) and points its repository field at https://github.com/MikeMcl/big.js.git, with description and keywords copied from the legitimate big.js arbitrary-precision arithmetic library. The shipped source is a verbatim copy of big.js v7.0.1 with one modification: a try/catch block injected mid-file in both big.js and big.mjs that runs const doc = require("node-slot"); doc.from_str().then(...).catch(...) at module load. Errors are swallowed by the surrounding try/catch so the call is silent. node-slot is declared as a runtime dependency ( "node-slot": "^1.0.8" ) and is therefore pulled in and executed on any require('ts-wross') / import 'ts-wross' . The legitimate big.js has zero dependencies and no such call — the inserted require is a loader trampoline that hands import-time execution on the installer's machine to whatever code node-slot ships. Combined with the impersonated metadata, the package is a lure that drops attacker-controlled code into any consumer that installs it under the assumption it is or relates to big.js.
Source: amazon-inspector (42dae43b7ff77748f10ae5faf6d87b7d63552e5629a37c931ea2c0de3539b469)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.