MAL-2026-6342

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (d9e63765322daedaf6d802d322402a1837d3ec653ecf47909d243e5c87398117) The package's name 'therdweb' is a one-character variation of the popular 'thirdweb' SDK, while its contents (README, source code, author field 'Michael Mclaughlin', repository URL pointing at MikeMcl/big.js, version banner '7.0.1') are copied verbatim from the unrelated big.js library — the publisher is not the original author of either project. Both shipped entrypoints, big.js and big.mjs, contain an injected try/catch block that performs `require("parket-slot")` and immediately invokes `doc.from_str()` on it at module load, with the catch block left empty to swallow errors. `parket-slot` is not listed in `package.json` dependencies and is not mentioned in the README (which falsely claims 'No dependencies'); package.json additionally declares an undocumented dependency `log-taker@^0.0.9`. Any consumer that imports or requires this package will execute code from these external, undeclared/hidden modules controlled by the same actor, while the README hides their existence. This is the loader half of a multi-package install-graph dropper paired with name-confusion against thirdweb and identity impersonation of big.js.