MAL-2026-3750

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/bigint.fs/MAL-2026-3750.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-3750

Published

2026-05-14T19:24:52Z

Modified

2026-05-15T07:52:28.882557Z

Summary

Malicious code in bigint.fs (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (cb3e0cb5c95475ce69c3672be6acfb9283bc6e29a1d7ba7452c922e7dc96a966)

On require()/import, index.js runs an IIFE that POSTs a getAccountInfo RPC call to https://api.devnet.solana.com for Solana account 4WF8QCFEnVD7BLs3QAVe2SjxRZ4n3EboCsdhj363VAqZ, base64-decodes the returned account data, reads a length prefix at offset 32, extracts the payload bytes at offset 36, and passes the resulting UTF-8 source to new Function('require','module','exports', src) — executing arbitrary JavaScript with the full privileges of the importing Node.js process. The payload is mutable (the attacker can rewrite the on-chain account data at any time), unpinned, not hash- or signature-verified, and delivered from infrastructure the attacker controls. The use of a public blockchain RPC endpoint as a C2 channel is designed to evade simple domain/IP blocking while remaining fully attacker-rewritable. The package name masquerades as a BigInt/filesystem utility; there is no legitimate reason for such a library to fetch and eval remote code on load.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-002659",
            "import_time": "2026-05-15T07:37:15.586875521Z",
            "sha256": "cb3e0cb5c95475ce69c3672be6acfb9283bc6e29a1d7ba7452c922e7dc96a966",
            "source": "amazon-inspector",
            "modified_time": "2026-05-14T19:24:52Z",
            "versions": [
                "5.0.6"
            ]
        }
    ]
}

References

https://www.npmjs.com/package/bigint.fs/v/5.0.6

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / bigint.fs

Package

Name: bigint.fs; View open source insights on deps.dev
Purl: pkg:npm/bigint.fs

Affected ranges

Affected versions

5.*

5.0.6

Database specific

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "path": "index.js",
            "sha256": "bcfb01ee49200436ae27674b4294a5658ddfa08862e2808051648db5f200e16f",
            "tlsh": "a211485f023714370bbe90b21722600bd585936f200084a67f3c92950f7dc4885d2adc"
        }
    ],
    "package_integrity": [
        {
            "filename": "bigint.fs-5.0.6.tgz",
            "hashes": {
                "sha512_sri": "sha512-bAKXOuUexxw/2RB8YMriQuJN9mR77HQzRgcCv/RK2aF6n4E5Glsa6/40D1Ls20ZsfoToywY4GYL8sjrpWMq98A==",
                "sha1": "09322d3bb2d0b2ca9b3f63fdeebb36263a4457b6"
            }
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/bigint.fs/MAL-2026-3750.json"