MAL-2026-2527
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/sjs-biginteger/MAL-2026-2527.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-2527
- Published
- 2026-04-09T14:05:08Z
- Modified
- 2026-04-10T17:35:10.492116Z
- Summary
- Malicious code in sjs-biginteger (npm)
- Details
-
sjs-biginteger typosquats big.js on npm. Published April 7, 2026 by throwaway account vanes.s.p.orit.a, the package ships legitimate big.js source and hides its payload in a dependency: sjs-lint-build1. On install, the dependency’s postinstall hook fetches the attacker’s SSH public key from a C2 server, appends it to ~/.ssh/authorized_keys, opens firewall port 22, then collects SSH keys, environment variables, config files (.env, Solana id.json, config.toml), and system fingerprints. It exfiltrates the collected data to two Vercel-hosted C2 domains disguised as Cloudflare services.
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (ad825f5a8f4892374c8e1f8a4d1e5e84e28419eb656035667c4c9d8964966f6d)
The package sjs-biginteger was found to contain malicious code.
- Database specific
{ "malicious-packages-origins": [ { "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" } ] } ], "sha256": "ad825f5a8f4892374c8e1f8a4d1e5e84e28419eb656035667c4c9d8964966f6d", "source": "amazon-inspector", "modified_time": "2026-04-10T17:02:58Z", "import_time": "2026-04-10T17:21:49.664459835Z" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
- SafeDep - FINDER
-
Affected packages
npm / sjs-biginteger
Package
- Name
- sjs-biginteger
- View open source insights on deps.dev
- Purl
- pkg:npm/sjs-biginteger