MAL-2026-6316
Vulnerability from ossf_malicious_packages
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (b8059a1d2db2edb7231b017023f82f6a651585c0ee7120aaebe882cb6407b9e3)
Package is published as 'ts-biginteger-lib' but its metadata, README, and source are a wholesale copy of big.js by MikeMcl (author set to 'Michael Mclaughlin M8ch88l@gmail.com', repository pointing at MikeMcl/big.js, README unchanged). Inserted into the otherwise-verbatim big.js source at big.js:605-609 is a try/catch that, at module load time, calls require("ts-lint-builders") and invokes doc.from_str().then(...).catch(...). package.json additionally declares "ts-linter-builders": "latest" as a runtime dependency. The legitimate big.js declares no runtime dependencies; these injected loads execute arbitrary code from separately-published, attacker-controlled packages every time a consumer require()s or imports ts-biginteger-lib. The unpinned latest specifier lets the publisher rotate the payload at any time without modifying this package. The combination of brand impersonation (to attract installers searching for a TypeScript big-integer library) and require-time execution of an external, version-floating dependency is a supply-chain dropper.
- CWE-506 - The product contains code that appears to be malicious in nature.
{
"affected": [
{
"database_specific": {
"cwes": [
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
}
],
"indicators": {
"evidence_files": [
{
"path": "big.js",
"sha256": "7d3c7d774ce3d9231e144c52830418ee9a38e7fd6f1c7d9f5c83c882ab8485ad",
"tlsh": "cdc2658c3ac67579593363788f465088eb38525712c8b186b4ae63b46f78cb107b5fdc"
},
{
"path": "package.json",
"sha256": "57fed54dc425b3d763b4b2deb0d63e50ee2bb1ce117b5c52e3a01db76fd0c631",
"tlsh": "6e212263c9b19da70af85b94b86c43aaf1161b2f00a05c57b07b130c4b7345b2095bbd"
}
],
"package_integrity": [
{
"filename": "ts-biginteger-lib-5.0.5.tgz",
"hashes": {
"sha1": "598e816ee6e49bf3264d46e4a35487d23aae0d84",
"sha512_sri": "sha512-Qke1nuOGZtQUtQU0b9xNb9PyY8dCpItaCjavtbBnzvk1DiTsAEOgGD0Sq+j1yHh9bhSxkYyoUNoNqs9LayMzzQ=="
}
}
]
}
},
"package": {
"ecosystem": "npm",
"name": "ts-biginteger-lib"
},
"versions": [
"5.0.5"
]
}
],
"credits": [
{
"contact": [
"inspector-research@amazon.com"
],
"name": "Amazon Inspector",
"type": "FINDER"
}
],
"database_specific": {
"malicious-packages-origins": [
{
"id": "IN-MAL-2026-007259",
"import_time": "2026-06-23T16:54:12.462976362Z",
"modified_time": "2026-06-23T16:07:35Z",
"sha256": "b8059a1d2db2edb7231b017023f82f6a651585c0ee7120aaebe882cb6407b9e3",
"source": "amazon-inspector",
"versions": [
"5.0.5"
]
}
]
},
"details": "\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (b8059a1d2db2edb7231b017023f82f6a651585c0ee7120aaebe882cb6407b9e3)\nPackage is published as \u0027ts-biginteger-lib\u0027 but its metadata, README, and source are a wholesale copy of big.js by MikeMcl (author set to \u0027Michael Mclaughlin \u003cM8ch88l@gmail.com\u003e\u0027, repository pointing at MikeMcl/big.js, README unchanged). Inserted into the otherwise-verbatim big.js source at big.js:605-609 is a try/catch that, at module load time, calls `require(\"ts-lint-builders\")` and invokes `doc.from_str().then(...).catch(...)`. package.json additionally declares `\"ts-linter-builders\": \"latest\"` as a runtime dependency. The legitimate big.js declares no runtime dependencies; these injected loads execute arbitrary code from separately-published, attacker-controlled packages every time a consumer `require()`s or `import`s ts-biginteger-lib. The unpinned `latest` specifier lets the publisher rotate the payload at any time without modifying this package. The combination of brand impersonation (to attract installers searching for a TypeScript big-integer library) and require-time execution of an external, version-floating dependency is a supply-chain dropper.\n",
"id": "MAL-2026-6316",
"modified": "2026-06-23T16:07:35Z",
"published": "2026-06-23T16:07:35Z",
"references": [
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/ts-biginteger-lib/v/5.0.5"
}
],
"schema_version": "1.7.4",
"summary": "Malicious code in ts-biginteger-lib (npm)"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.