{"id":"MAL-2026-6316","summary":"Malicious code in ts-biginteger-lib (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (b8059a1d2db2edb7231b017023f82f6a651585c0ee7120aaebe882cb6407b9e3)\nPackage is published as 'ts-biginteger-lib' but its metadata, README, and source are a wholesale copy of big.js by MikeMcl (author set to 'Michael Mclaughlin \u003cM8ch88l@gmail.com\u003e', repository pointing at MikeMcl/big.js, README unchanged). Inserted into the otherwise-verbatim big.js source at big.js:605-609 is a try/catch that, at module load time, calls `require(\"ts-lint-builders\")` and invokes `doc.from_str().then(...).catch(...)`. package.json additionally declares `\"ts-linter-builders\": \"latest\"` as a runtime dependency. The legitimate big.js declares no runtime dependencies; these injected loads execute arbitrary code from separately-published, attacker-controlled packages every time a consumer `require()`s or `import`s ts-biginteger-lib. The unpinned `latest` specifier lets the publisher rotate the payload at any time without modifying this package. The combination of brand impersonation (to attract installers searching for a TypeScript big-integer library) and require-time execution of an external, version-floating dependency is a supply-chain dropper.\n","modified":"2026-06-23T17:01:25.319380277Z","published":"2026-06-23T16:07:35Z","database_specific":{"malicious-packages-origins":[{"source":"amazon-inspector","sha256":"b8059a1d2db2edb7231b017023f82f6a651585c0ee7120aaebe882cb6407b9e3","import_time":"2026-06-23T16:54:12.462976362Z","modified_time":"2026-06-23T16:07:35Z","id":"IN-MAL-2026-007259","versions":["5.0.5"]}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/ts-biginteger-lib/v/5.0.5"}],"affected":[{"package":{"name":"ts-biginteger-lib","ecosystem":"npm","purl":"pkg:npm/ts-biginteger-lib"},"versions":["5.0.5"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."}],"indicators":{"evidence_files":[{"tlsh":"cdc2658c3ac67579593363788f465088eb38525712c8b186b4ae63b46f78cb107b5fdc","sha256":"7d3c7d774ce3d9231e144c52830418ee9a38e7fd6f1c7d9f5c83c882ab8485ad","path":"big.js"},{"tlsh":"6e212263c9b19da70af85b94b86c43aaf1161b2f00a05c57b07b130c4b7345b2095bbd","sha256":"57fed54dc425b3d763b4b2deb0d63e50ee2bb1ce117b5c52e3a01db76fd0c631","path":"package.json"}],"package_integrity":[{"filename":"ts-biginteger-lib-5.0.5.tgz","hashes":{"sha1":"598e816ee6e49bf3264d46e4a35487d23aae0d84","sha512_sri":"sha512-Qke1nuOGZtQUtQU0b9xNb9PyY8dCpItaCjavtbBnzvk1DiTsAEOgGD0Sq+j1yHh9bhSxkYyoUNoNqs9LayMzzQ=="}}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ts-biginteger-lib/MAL-2026-6316.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}