MAL-2026-6198

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/new-ecro-1/MAL-2026-6198.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6198

Published

2026-06-19T05:20:04Z

Modified

2026-06-19T07:31:48.200132114Z

Summary

Malicious code in new-ecro-1 (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (0c4e172aa83f2b8742fb014ea649490c87815573cab692ea74eb402ee23f935c)

Package new-ecro-1 impersonates the legitimate big.js library by shipping its source verbatim (banner, license, and homepage pointing at MikeMcl/big.js). Inside the load-time IIFE in both big.js and big.mjs at line 606, an injected block silently executes const doc = require("parket-slot"); doc.from_str().then(e => {}).catch(e => {}), wrapped in a try/catch that swallows all errors. The parket-slot package is not declared in this manifest's dependencies (which instead lists new-solt-1), so the require resolves to whatever loader-controlled package happens to be present in the surrounding install tree, executing its from_str() on import. The combination of name-impersonation, undeclared cross-package require, and silent error suppression is a loader stub for attacker-controlled code that runs the moment any consumer imports this module.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "01b0b55fd906ade779ab708144b0becba338debc03c56a2fe0b6468b1d12808e",
            "source": "amazon-inspector",
            "modified_time": "2026-06-19T05:20:04Z",
            "versions": [
                "0.3.9"
            ],
            "id": "IN-MAL-2026-007060",
            "import_time": "2026-06-19T07:17:16.909021254Z"
        },
        {
            "sha256": "0c4e172aa83f2b8742fb014ea649490c87815573cab692ea74eb402ee23f935c",
            "source": "amazon-inspector",
            "modified_time": "2026-06-19T05:20:05Z",
            "versions": [
                "0.1.9"
            ],
            "id": "IN-MAL-2026-007061",
            "import_time": "2026-06-19T07:17:16.967727952Z"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / new-ecro-1

Package

Name: new-ecro-1; View open source insights on deps.dev
Purl: pkg:npm/new-ecro-1

Affected ranges

Affected versions

0.*

0.1.9

0.3.9

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/new-ecro-1/MAL-2026-6198.json"

indicators

{
    "evidence_files": [
        {
            "sha256": "eb6ce18afdacb4c6b3eb97521184a1330adcab077dcb12f5342ed2ee3a49447c",
            "tlsh": "ebc2658c3ac67579593363788f465088eb38525712c8b286b4ae63b46f78cb107b5fdc",
            "path": "big.js"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-1vRDxfgRZyrpvnERul7HaYJcTb/HW4m5Yz8r6HsroDzvlN4SNN8TE+jfhdrBO6JjzdfS840tSoFbj81X4TFw1w==",
                "sha1": "fcb596e099fc0856a0217a3bf6554aba25824ea0"
            },
            "filename": "new-ecro-1-0.3.9.tgz"
        }
    ]
}