MAL-2026-5647

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (37901692194f47c987610aab18ef37d4361e8ab01efd1a8008876920dd8b8aa2) Package is published as 'ts-ecro' but ships a verbatim copy of big.js v7.0.1 with the original author's copyright, email, and GitHub repository URL — a typosquat/impersonation façade for the upstream big.js library. At module top-level, the entrypoint require()s a sibling attacker-controlled package and immediately invokes its from_str() method, executing arbitrary code from that dependency on every import. The CommonJS variant (big.js:606-608) loads 'websocket-slot' and calls doc.from_str().then(...).catch(...); the ESM variant (big.mjs:606-608) wraps require("parket-slot") + doc.from_str() in a try/catch that swallows errors so the import appears clean. package.json declares 'parket-slot': '^0.0.6' as a runtime dependency, ensuring the loader executes on a default install. The genuine big.js library has no such require call — the loader is appended on top of an otherwise-legitimate codebase to disguise the attack. Any project that installs and imports this package automatically runs whatever code parket-slot / websocket-slot ships, with attacker control over those packages' contents.