MAL-2026-6316

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (b8059a1d2db2edb7231b017023f82f6a651585c0ee7120aaebe882cb6407b9e3) Package is published as 'ts-biginteger-lib' but its metadata, README, and source are a wholesale copy of big.js by MikeMcl (author set to 'Michael Mclaughlin <M8ch88l@gmail.com>', repository pointing at MikeMcl/big.js, README unchanged). Inserted into the otherwise-verbatim big.js source at big.js:605-609 is a try/catch that, at module load time, calls `require("ts-lint-builders")` and invokes `doc.from_str().then(...).catch(...)`. package.json additionally declares `"ts-linter-builders": "latest"` as a runtime dependency. The legitimate big.js declares no runtime dependencies; these injected loads execute arbitrary code from separately-published, attacker-controlled packages every time a consumer `require()`s or `import`s ts-biginteger-lib. The unpinned `latest` specifier lets the publisher rotate the payload at any time without modifying this package. The combination of brand impersonation (to attract installers searching for a TypeScript big-integer library) and require-time execution of an external, version-floating dependency is a supply-chain dropper.