-= Per source details. Do not edit below this line.=-
The package's name 'therdweb' is a one-character variation of the popular 'thirdweb' SDK, while its contents (README, source code, author field 'Michael Mclaughlin', repository URL pointing at MikeMcl/big.js, version banner '7.0.1') are copied verbatim from the unrelated big.js library — the publisher is not the original author of either project. Both shipped entrypoints, big.js and big.mjs, contain an injected try/catch block that performs require("parket-slot") and immediately invokes doc.from_str() on it at module load, with the catch block left empty to swallow errors. parket-slot is not listed in package.json dependencies and is not mentioned in the README (which falsely claims 'No dependencies'); package.json additionally declares an undocumented dependency log-taker@^0.0.9. Any consumer that imports or requires this package will execute code from these external, undeclared/hidden modules controlled by the same actor, while the README hides their existence. This is the loader half of a multi-package install-graph dropper paired with name-confusion against thirdweb and identity impersonation of big.js.
{
"malicious-packages-origins": [
{
"versions": [
"0.0.8"
],
"import_time": "2026-06-23T20:48:30.793539676Z",
"modified_time": "2026-06-23T20:01:30Z",
"id": "IN-MAL-2026-007357",
"sha256": "d9e63765322daedaf6d802d322402a1837d3ec653ecf47909d243e5c87398117",
"source": "amazon-inspector"
}
]
}"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/therdweb/MAL-2026-6342.json"
[
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
}
]
{
"package_integrity": [
{
"hashes": {
"sha1": "188b33c5d430cbdf1ca4ad3ca5700d26ba6804b1",
"sha512_sri": "sha512-EQz6H89XVA6bE2l1B6kAzTsD0r5sgKtIHeLUXgfrdT70BHWfwlOO6iqpa/Gc5z1pENV8tGlmEeBpx3ci7gU2tA=="
},
"filename": "therdweb-0.0.8.tgz"
}
],
"evidence_files": [
{
"path": "big.js",
"sha256": "5b803b2bbd43db704b5802fa5bf4da96e79c3b876d74495116b53a837101dace",
"tlsh": "24c2658c3ac67579593363788f4a5088eb38525712c8b186b4ae63b46f78cb107b5fdc"
},
{
"path": "package.json",
"sha256": "a5ed77bf96808cd9df14566d6e83f54fcaddb4dcd576fa898e147aced0dbcb26",
"tlsh": "76210467c9a59da70af85ba47c6c03aaf1151b1f44a05c5bb07b130c4b3355b2096b7d"
}
]
}