{"id":"MAL-2026-6342","summary":"Malicious code in therdweb (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (d9e63765322daedaf6d802d322402a1837d3ec653ecf47909d243e5c87398117)\nThe package's name 'therdweb' is a one-character variation of the popular 'thirdweb' SDK, while its contents (README, source code, author field 'Michael Mclaughlin', repository URL pointing at MikeMcl/big.js, version banner '7.0.1') are copied verbatim from the unrelated big.js library — the publisher is not the original author of either project. Both shipped entrypoints, big.js and big.mjs, contain an injected try/catch block that performs `require(\"parket-slot\")` and immediately invokes `doc.from_str()` on it at module load, with the catch block left empty to swallow errors. `parket-slot` is not listed in `package.json` dependencies and is not mentioned in the README (which falsely claims 'No dependencies'); package.json additionally declares an undocumented dependency `log-taker@^0.0.9`. Any consumer that imports or requires this package will execute code from these external, undeclared/hidden modules controlled by the same actor, while the README hides their existence. This is the loader half of a multi-package install-graph dropper paired with name-confusion against thirdweb and identity impersonation of big.js.\n","modified":"2026-06-23T21:01:21.784382310Z","published":"2026-06-23T20:01:30Z","database_specific":{"malicious-packages-origins":[{"versions":["0.0.8"],"source":"amazon-inspector","sha256":"d9e63765322daedaf6d802d322402a1837d3ec653ecf47909d243e5c87398117","import_time":"2026-06-23T20:48:30.793539676Z","id":"IN-MAL-2026-007357","modified_time":"2026-06-23T20:01:30Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/therdweb/v/0.0.8"}],"affected":[{"package":{"name":"therdweb","ecosystem":"npm","purl":"pkg:npm/therdweb"},"versions":["0.0.8"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/therdweb/MAL-2026-6342.json","cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}],"indicators":{"package_integrity":[{"hashes":{"sha1":"188b33c5d430cbdf1ca4ad3ca5700d26ba6804b1","sha512_sri":"sha512-EQz6H89XVA6bE2l1B6kAzTsD0r5sgKtIHeLUXgfrdT70BHWfwlOO6iqpa/Gc5z1pENV8tGlmEeBpx3ci7gU2tA=="},"filename":"therdweb-0.0.8.tgz"}],"evidence_files":[{"tlsh":"24c2658c3ac67579593363788f4a5088eb38525712c8b186b4ae63b46f78cb107b5fdc","sha256":"5b803b2bbd43db704b5802fa5bf4da96e79c3b876d74495116b53a837101dace","path":"big.js"},{"tlsh":"76210467c9a59da70af85ba47c6c03aaf1151b1f44a05c5bb07b130c4b3355b2096b7d","sha256":"a5ed77bf96808cd9df14566d6e83f54fcaddb4dcd576fa898e147aced0dbcb26","path":"package.json"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}