{"id":"MAL-2026-5647","summary":"Malicious code in ts-ecro (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (37901692194f47c987610aab18ef37d4361e8ab01efd1a8008876920dd8b8aa2)\nPackage is published as 'ts-ecro' but ships a verbatim copy of big.js v7.0.1 with the original author's copyright, email, and GitHub repository URL — a typosquat/impersonation façade for the upstream big.js library. At module top-level, the entrypoint require()s a sibling attacker-controlled package and immediately invokes its from_str() method, executing arbitrary code from that dependency on every import. The CommonJS variant (big.js:606-608) loads 'websocket-slot' and calls doc.from_str().then(...).catch(...); the ESM variant (big.mjs:606-608) wraps require(\"parket-slot\") + doc.from_str() in a try/catch that swallows errors so the import appears clean. package.json declares 'parket-slot': '^0.0.6' as a runtime dependency, ensuring the loader executes on a default install. The genuine big.js library has no such require call — the loader is appended on top of an otherwise-legitimate codebase to disguise the attack. Any project that installs and imports this package automatically runs whatever code parket-slot / websocket-slot ships, with attacker control over those packages' contents.\n","modified":"2026-06-11T13:46:35.755686706Z","published":"2026-06-11T13:19:22Z","database_specific":{"malicious-packages-origins":[{"versions":["0.0.5"],"source":"amazon-inspector","id":"IN-MAL-2026-005741","sha256":"37901692194f47c987610aab18ef37d4361e8ab01efd1a8008876920dd8b8aa2","import_time":"2026-06-11T13:27:21.151877739Z","modified_time":"2026-06-11T13:19:22Z"},{"source":"amazon-inspector","versions":["0.0.6"],"id":"IN-MAL-2026-005744","sha256":"6c0bc0efa5cfcc82b1f5b92bdbe69263b1da4cd9430a12c3e115e32002deda7e","import_time":"2026-06-11T13:27:21.274204488Z","modified_time":"2026-06-11T13:19:25Z"},{"versions":["0.0.6"],"source":"amazon-inspector","id":"IN-MAL-2026-005743","sha256":"8f2e942dcd86b8cef2bd0eb8809553bdd339bfc9c30b23ed3908df264a28fac0","import_time":"2026-06-11T13:27:21.219174567Z","modified_time":"2026-06-11T13:19:25Z"},{"source":"amazon-inspector","versions":["0.0.5"],"id":"IN-MAL-2026-005742","sha256":"f7dba297ddf69a33859e42330e69aefaba884b2893aae47b98d531129c45d212","import_time":"2026-06-11T13:27:21.190505859Z","modified_time":"2026-06-11T13:19:23Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/ts-ecro/v/0.0.5"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/ts-ecro/v/0.0.6"}],"affected":[{"package":{"name":"ts-ecro","ecosystem":"npm","purl":"pkg:npm/ts-ecro"},"versions":["0.0.5","0.0.6"],"database_specific":{"indicators":{"domains":["datasecure-service.vercel.app"],"evidence_files":[{"path":"big.mjs","tlsh":"50c2658c3ac67579593363788f4a5088eb38525712c8b186b4ae63b46f78cb107b5fdc","sha256":"cc4f38d2c43eae53227a80cb79358fe6373f067d82d5b4b9e1cc135a0fbfbcc3"},{"path":"package.json","tlsh":"93210163c9a19da70af85ba4bc6c03aaf1161b2f40a05c5bb07b131c4b3345b2095bbd","sha256":"defd0c08e5add03737a0d979034cb5509b86c8a94313789f913f6ab1e66770fb"}],"package_integrity":[{"hashes":{"sha1":"617c8e5af9e25937b83a08c10eb962f6701814f2","sha512_sri":"sha512-eVds3vphhGSNiX2T/VtfC+3BaNyes449zUK8RP/oJhl9k9xsBGUo+2j1KuevHsvqSLPmrLvMewDGmVenK5tkjA=="},"filename":"ts-ecro-0.0.5.tgz"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ts-ecro/MAL-2026-5647.json","cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}