The ts-opus package version 0.0.8 ships an unmodified copy of the legitimate big.js library but injects additional top-level code inside big.js and big.mjs that requires an undeclared module named 'node-slot'. This module is not listed in package.json dependencies, allowing the package to load an external module resolved at install time, which is outside the control of the ts-opus tarball. The injected code calls doc.from_str() on the required module, and all synchronous errors and promise rejections are caught and ignored, hiding any failure from the user. This behavior constitutes a targeted supply-chain attack, misleading consumers who believe they are using the authentic big.js library. The malicious code executes at require-time, potentially compromising the host system.

Any computer with ts-opus version 0.0.8 installed or running is considered fully compromised. The malicious code executes arbitrary external code silently, potentially allowing an attacker full control over the system. All secrets and keys stored on the compromised computer should be considered exposed and must be rotated immediately from a secure, unaffected device. Removing the package alone does not guarantee removal of all malicious artifacts or backdoors introduced by this compromise.

No official patch or fix is currently available for ts-opus version 0.0.8. Users should immediately remove this package from their systems. Because the package executes undeclared external code and silently suppresses errors, any system with this package installed should be treated as fully compromised. All secrets and credentials on the affected system must be rotated from a different, secure computer. Monitor for any unusual activity and consider rebuilding affected systems from known good backups.