{"id":"MAL-2026-3750","summary":"Malicious code in bigint.fs (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (cb3e0cb5c95475ce69c3672be6acfb9283bc6e29a1d7ba7452c922e7dc96a966)\nOn require()/import, index.js runs an IIFE that POSTs a getAccountInfo RPC call to https://api.devnet.solana.com for Solana account 4WF8QCFEnVD7BLs3QAVe2SjxRZ4n3EboCsdhj363VAqZ, base64-decodes the returned account data, reads a length prefix at offset 32, extracts the payload bytes at offset 36, and passes the resulting UTF-8 source to `new Function('require','module','exports', src)` — executing arbitrary JavaScript with the full privileges of the importing Node.js process. The payload is mutable (the attacker can rewrite the on-chain account data at any time), unpinned, not hash- or signature-verified, and delivered from infrastructure the attacker controls. The use of a public blockchain RPC endpoint as a C2 channel is designed to evade simple domain/IP blocking while remaining fully attacker-rewritable. The package name masquerades as a BigInt/filesystem utility; there is no legitimate reason for such a library to fetch and eval remote code on load.\n","modified":"2026-05-15T07:52:28.882557Z","published":"2026-05-14T19:24:52Z","database_specific":{"malicious-packages-origins":[{"versions":["5.0.6"],"id":"IN-MAL-2026-002659","sha256":"cb3e0cb5c95475ce69c3672be6acfb9283bc6e29a1d7ba7452c922e7dc96a966","import_time":"2026-05-15T07:37:15.586875521Z","modified_time":"2026-05-14T19:24:52Z","source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/bigint.fs/v/5.0.6"}],"affected":[{"package":{"name":"bigint.fs","ecosystem":"npm","purl":"pkg:npm/bigint.fs"},"versions":["5.0.6"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/bigint.fs/MAL-2026-3750.json","indicators":{"evidence_files":[{"tlsh":"a211485f023714370bbe90b21722600bd585936f200084a67f3c92950f7dc4885d2adc","sha256":"bcfb01ee49200436ae27674b4294a5658ddfa08862e2808051648db5f200e16f","path":"index.js"}],"package_integrity":[{"hashes":{"sha1":"09322d3bb2d0b2ca9b3f63fdeebb36263a4457b6","sha512_sri":"sha512-bAKXOuUexxw/2RB8YMriQuJN9mR77HQzRgcCv/RK2aF6n4E5Glsa6/40D1Ls20ZsfoToywY4GYL8sjrpWMq98A=="},"filename":"bigint.fs-5.0.6.tgz"}]},"cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}