MAL-2026-6468
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ts-opus/MAL-2026-6468.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-6468
- Aliases
-
- GHSA-xr76-fgrm-h52p
- Published
- 2026-06-25T18:11:49Z
- Modified
- 2026-06-26T03:31:24.793767675Z
- Summary
- Malicious code in ts-opus (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (73b0105b34723dd6e1449c3353d1d4df0dcf94ae460a4dfd156566bb4ba372c7)
ts-opus 0.0.8 ships an unmodified copy of MikeMcl/big.js (README, copyright, and repository URL all reference big.js) but injects an additional top-level block inside both big.js and big.mjs that calls
require('node-slot')and invokesdoc.from_str(), with both the synchronous error and the returned promise's rejection silently swallowed (try {....then(e=>{}).catch(e=>{}) } catch(error){}). The required module namenode-slotis not declared in package.json — the declared dependency is the differently-namedref-slot— so the code intentionally loads an externally-resolved package whose contents are not controlled by this tarball. Any consumer whorequire('ts-opus')or importsbig.mjstriggers loading and executing whatevernode-slotresolves to at install time, with failures hidden from the user. The combination of (a) a cover-story package presenting itself as big.js, (b) require-time execution of an undeclared external module, and (c) silenced error handling to hide payload failures is a targeted supply-chain attack against consumers who believe they are pulling in big.js.Source: ghsa-malware (823418ded09f0da1edeb47585ca94c75449607a5e7661c52ab136f0b0b872bf2)
Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
- Database specific
{ "malicious-packages-origins": [ { "versions": [ "0.0.8" ], "modified_time": "2026-06-25T18:11:49Z", "sha256": "73b0105b34723dd6e1449c3353d1d4df0dcf94ae460a4dfd156566bb4ba372c7", "id": "IN-MAL-2026-007524", "source": "amazon-inspector", "import_time": "2026-06-25T18:17:38.04190281Z" }, { "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" } ] } ], "modified_time": "2026-06-26T03:10:37Z", "sha256": "823418ded09f0da1edeb47585ca94c75449607a5e7661c52ab136f0b0b872bf2", "id": "GHSA-xr76-fgrm-h52p", "source": "ghsa-malware", "import_time": "2026-06-26T03:24:04.551759548Z" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / ts-opus
Package
- Name
- ts-opus
- View open source insights on deps.dev
- Purl
- pkg:npm/ts-opus
Affected ranges
- Type
- SEMVER
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Database specific
cwes
[
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
}
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ts-opus/MAL-2026-6468.json"
indicators
{
"package_integrity": [
{
"filename": "ts-opus-0.0.8.tgz",
"hashes": {
"sha512_sri": "sha512-h3v9+6lazPHugteujZYJprzFzA5X9rggZ7LOXvl5KdUxmWMa7VcKdmD08vIHVyaBYxChKbBsS5cUE3C+ifREBg==",
"sha1": "e48f5c4323bccd859f8bb7da19b6899cbadc52e5"
}
}
],
"evidence_files": [
{
"path": "big.js",
"tlsh": "c6c2658c3ac67579593363788f465088eb38525712c8b286b4ae63b46f78cb107b5fdc",
"sha256": "442c54a9b0beff03159cb7dd3a59ad1c09dbe09f0bcec91df0a33a032a2e4f99"
}
]
}