MAL-2026-5647
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ts-ecro/MAL-2026-5647.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-5647
- Published
- 2026-06-11T13:19:22Z
- Modified
- 2026-06-11T13:46:35.755686706Z
- Summary
- Malicious code in ts-ecro (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (37901692194f47c987610aab18ef37d4361e8ab01efd1a8008876920dd8b8aa2)
Package is published as 'ts-ecro' but ships a verbatim copy of big.js v7.0.1 with the original author's copyright, email, and GitHub repository URL — a typosquat/impersonation façade for the upstream big.js library. At module top-level, the entrypoint require()s a sibling attacker-controlled package and immediately invokes its fromstr() method, executing arbitrary code from that dependency on every import. The CommonJS variant (big.js:606-608) loads 'websocket-slot' and calls doc.fromstr().then(...).catch(...); the ESM variant (big.mjs:606-608) wraps require("parket-slot") + doc.from_str() in a try/catch that swallows errors so the import appears clean. package.json declares 'parket-slot': '^0.0.6' as a runtime dependency, ensuring the loader executes on a default install. The genuine big.js library has no such require call — the loader is appended on top of an otherwise-legitimate codebase to disguise the attack. Any project that installs and imports this package automatically runs whatever code parket-slot / websocket-slot ships, with attacker control over those packages' contents.
- Database specific
{ "malicious-packages-origins": [ { "id": "IN-MAL-2026-005741", "versions": [ "0.0.5" ], "sha256": "37901692194f47c987610aab18ef37d4361e8ab01efd1a8008876920dd8b8aa2", "source": "amazon-inspector", "modified_time": "2026-06-11T13:19:22Z", "import_time": "2026-06-11T13:27:21.151877739Z" }, { "id": "IN-MAL-2026-005744", "versions": [ "0.0.6" ], "sha256": "6c0bc0efa5cfcc82b1f5b92bdbe69263b1da4cd9430a12c3e115e32002deda7e", "source": "amazon-inspector", "modified_time": "2026-06-11T13:19:25Z", "import_time": "2026-06-11T13:27:21.274204488Z" }, { "id": "IN-MAL-2026-005743", "import_time": "2026-06-11T13:27:21.219174567Z", "sha256": "8f2e942dcd86b8cef2bd0eb8809553bdd339bfc9c30b23ed3908df264a28fac0", "source": "amazon-inspector", "modified_time": "2026-06-11T13:19:25Z", "versions": [ "0.0.6" ] }, { "id": "IN-MAL-2026-005742", "versions": [ "0.0.5" ], "sha256": "f7dba297ddf69a33859e42330e69aefaba884b2893aae47b98d531129c45d212", "source": "amazon-inspector", "modified_time": "2026-06-11T13:19:23Z", "import_time": "2026-06-11T13:27:21.190505859Z" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / ts-ecro
Package
- Name
- ts-ecro
- View open source insights on deps.dev
- Purl
- pkg:npm/ts-ecro
Database specific
cwes
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
indicators
{
"evidence_files": [
{
"path": "big.mjs",
"sha256": "cc4f38d2c43eae53227a80cb79358fe6373f067d82d5b4b9e1cc135a0fbfbcc3",
"tlsh": "50c2658c3ac67579593363788f4a5088eb38525712c8b186b4ae63b46f78cb107b5fdc"
},
{
"path": "package.json",
"sha256": "defd0c08e5add03737a0d979034cb5509b86c8a94313789f913f6ab1e66770fb",
"tlsh": "93210163c9a19da70af85ba4bc6c03aaf1161b2f40a05c5bb07b131c4b3345b2095bbd"
}
],
"package_integrity": [
{
"filename": "ts-ecro-0.0.5.tgz",
"hashes": {
"sha512_sri": "sha512-eVds3vphhGSNiX2T/VtfC+3BaNyes449zUK8RP/oJhl9k9xsBGUo+2j1KuevHsvqSLPmrLvMewDGmVenK5tkjA==",
"sha1": "617c8e5af9e25937b83a08c10eb962f6701814f2"
}
}
],
"domains": [
"datasecure-service.vercel.app"
]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ts-ecro/MAL-2026-5647.json"