MAL-2026-6316

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ts-biginteger-lib/MAL-2026-6316.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6316

Published

2026-06-23T16:07:35Z

Modified

2026-06-23T17:01:25.319380277Z

Summary

Malicious code in ts-biginteger-lib (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (b8059a1d2db2edb7231b017023f82f6a651585c0ee7120aaebe882cb6407b9e3)

Package is published as 'ts-biginteger-lib' but its metadata, README, and source are a wholesale copy of big.js by MikeMcl (author set to 'Michael Mclaughlin M8ch88l@gmail.com', repository pointing at MikeMcl/big.js, README unchanged). Inserted into the otherwise-verbatim big.js source at big.js:605-609 is a try/catch that, at module load time, calls require("ts-lint-builders") and invokes doc.from_str().then(...).catch(...). package.json additionally declares "ts-linter-builders": "latest" as a runtime dependency. The legitimate big.js declares no runtime dependencies; these injected loads execute arbitrary code from separately-published, attacker-controlled packages every time a consumer require()s or imports ts-biginteger-lib. The unpinned latest specifier lets the publisher rotate the payload at any time without modifying this package. The combination of brand impersonation (to attract installers searching for a TypeScript big-integer library) and require-time execution of an external, version-floating dependency is a supply-chain dropper.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "b8059a1d2db2edb7231b017023f82f6a651585c0ee7120aaebe882cb6407b9e3",
            "import_time": "2026-06-23T16:54:12.462976362Z",
            "source": "amazon-inspector",
            "modified_time": "2026-06-23T16:07:35Z",
            "versions": [
                "5.0.5"
            ],
            "id": "IN-MAL-2026-007259"
        }
    ]
}

References

https://www.npmjs.com/package/ts-biginteger-lib/v/5.0.5

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / ts-biginteger-lib

Package

Name: ts-biginteger-lib; View open source insights on deps.dev
Purl: pkg:npm/ts-biginteger-lib

Affected ranges

Affected versions

5.*

5.0.5

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ts-biginteger-lib/MAL-2026-6316.json"

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "sha256": "7d3c7d774ce3d9231e144c52830418ee9a38e7fd6f1c7d9f5c83c882ab8485ad",
            "tlsh": "cdc2658c3ac67579593363788f465088eb38525712c8b186b4ae63b46f78cb107b5fdc",
            "path": "big.js"
        },
        {
            "sha256": "57fed54dc425b3d763b4b2deb0d63e50ee2bb1ce117b5c52e3a01db76fd0c631",
            "tlsh": "6e212263c9b19da70af85b94b86c43aaf1161b2f00a05c57b07b130c4b7345b2095bbd",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "filename": "ts-biginteger-lib-5.0.5.tgz",
            "hashes": {
                "sha1": "598e816ee6e49bf3264d46e4a35487d23aae0d84",
                "sha512_sri": "sha512-Qke1nuOGZtQUtQU0b9xNb9PyY8dCpItaCjavtbBnzvk1DiTsAEOgGD0Sq+j1yHh9bhSxkYyoUNoNqs9LayMzzQ=="
            }
        }
    ]
}