MAL-2026-6468

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (73b0105b34723dd6e1449c3353d1d4df0dcf94ae460a4dfd156566bb4ba372c7) ts-opus 0.0.8 ships an unmodified copy of MikeMcl/big.js (README, copyright, and repository URL all reference big.js) but injects an additional top-level block inside both big.js and big.mjs that calls `require('node-slot')` and invokes `doc.from_str()`, with both the synchronous error and the returned promise's rejection silently swallowed (`try {....then(e=>{}).catch(e=>{}) } catch(error){}`). The required module name `node-slot` is not declared in package.json — the declared dependency is the differently-named `ref-slot` — so the code intentionally loads an externally-resolved package whose contents are not controlled by this tarball. Any consumer who `require('ts-opus')` or imports `big.mjs` triggers loading and executing whatever `node-slot` resolves to at install time, with failures hidden from the user. The combination of (a) a cover-story package presenting itself as big.js, (b) require-time execution of an undeclared external module, and (c) silenced error handling to hide payload failures is a targeted supply-chain attack against consumers who believe they are pulling in big.js.

## Source: ghsa-malware (823418ded09f0da1edeb47585ca94c75449607a5e7661c52ab136f0b0b872bf2) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.