{"id":"MAL-2026-2527","summary":"Malicious code in sjs-biginteger (npm)","details":"sjs-biginteger typosquats big.js on npm. Published April 7, 2026 by throwaway account vanes.s.p.orit.a, the package ships legitimate big.js source and hides its payload in a dependency: sjs-lint-build1. On install, the dependency’s postinstall hook fetches the attacker’s SSH public key from a C2 server, appends it to ~/.ssh/authorized_keys, opens firewall port 22, then collects SSH keys, environment variables, config files (.env, Solana id.json, config.toml), and system fingerprints. It exfiltrates the collected data to two Vercel-hosted C2 domains disguised as Cloudflare services.\n\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (ad825f5a8f4892374c8e1f8a4d1e5e84e28419eb656035667c4c9d8964966f6d)\nThe package sjs-biginteger was found to contain malicious code.\n","modified":"2026-04-10T17:35:10.492116Z","published":"2026-04-09T14:05:08Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-04-10T17:21:49.664459835Z","sha256":"ad825f5a8f4892374c8e1f8a4d1e5e84e28419eb656035667c4c9d8964966f6d","ranges":[{"events":[{"introduced":"0"}],"type":"SEMVER"}],"source":"amazon-inspector","modified_time":"2026-04-10T17:02:58Z"}]},"references":[{"type":"REPORT","url":"https://safedep.io/malicious-sjs-biginteger-npm-ssh-theft/"}],"affected":[{"package":{"name":"sjs-biginteger","ecosystem":"npm","purl":"pkg:npm/sjs-biginteger"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/sjs-biginteger/MAL-2026-2527.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"},{"name":"SafeDep","contact":["https://safedep.io"],"type":"FINDER"}]}