MAL-2026-6342

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/therdweb/MAL-2026-6342.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-6342
Published
2026-06-23T20:01:30Z
Modified
2026-06-23T21:01:21.784382310Z
Summary
Malicious code in therdweb (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (d9e63765322daedaf6d802d322402a1837d3ec653ecf47909d243e5c87398117)

The package's name 'therdweb' is a one-character variation of the popular 'thirdweb' SDK, while its contents (README, source code, author field 'Michael Mclaughlin', repository URL pointing at MikeMcl/big.js, version banner '7.0.1') are copied verbatim from the unrelated big.js library — the publisher is not the original author of either project. Both shipped entrypoints, big.js and big.mjs, contain an injected try/catch block that performs require("parket-slot") and immediately invokes doc.from_str() on it at module load, with the catch block left empty to swallow errors. parket-slot is not listed in package.json dependencies and is not mentioned in the README (which falsely claims 'No dependencies'); package.json additionally declares an undocumented dependency log-taker@^0.0.9. Any consumer that imports or requires this package will execute code from these external, undeclared/hidden modules controlled by the same actor, while the README hides their existence. This is the loader half of a multi-package install-graph dropper paired with name-confusion against thirdweb and identity impersonation of big.js.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "0.0.8"
            ],
            "import_time": "2026-06-23T20:48:30.793539676Z",
            "modified_time": "2026-06-23T20:01:30Z",
            "id": "IN-MAL-2026-007357",
            "sha256": "d9e63765322daedaf6d802d322402a1837d3ec653ecf47909d243e5c87398117",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / therdweb

Package

Affected ranges

Affected versions

0.*
0.0.8

Database specific

source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/therdweb/MAL-2026-6342.json"
cwes
[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]
indicators
{
    "package_integrity": [
        {
            "hashes": {
                "sha1": "188b33c5d430cbdf1ca4ad3ca5700d26ba6804b1",
                "sha512_sri": "sha512-EQz6H89XVA6bE2l1B6kAzTsD0r5sgKtIHeLUXgfrdT70BHWfwlOO6iqpa/Gc5z1pENV8tGlmEeBpx3ci7gU2tA=="
            },
            "filename": "therdweb-0.0.8.tgz"
        }
    ],
    "evidence_files": [
        {
            "path": "big.js",
            "sha256": "5b803b2bbd43db704b5802fa5bf4da96e79c3b876d74495116b53a837101dace",
            "tlsh": "24c2658c3ac67579593363788f4a5088eb38525712c8b186b4ae63b46f78cb107b5fdc"
        },
        {
            "path": "package.json",
            "sha256": "a5ed77bf96808cd9df14566d6e83f54fcaddb4dcd576fa898e147aced0dbcb26",
            "tlsh": "76210467c9a59da70af85ba47c6c03aaf1151b1f44a05c5bb07b130c4b3355b2096b7d"
        }
    ]
}