MAL-2026-6525: Malicious code in ts-einkle-slot (npm)
The npm package ts-einkle-slot (version 0.0.8) is a malicious package impersonating the legitimate big.js library. It contains injected code that loads and executes a transitive dependency node-slot upon import, which is unrelated to its advertised decimal arithmetic functionality. This behavior is designed to silently execute attacker-controlled code while maintaining the appearance of a legitimate package.
AI Analysis
Technical Summary
The ts-einkle-slot package published on npm mimics the legitimate big.js package by copying its source and metadata to spoof the publisher identity. However, its CommonJS and ESM entrypoints include injected code that immediately requires and invokes a method from the node-slot module, a transitive dependency introduced solely by this malicious package. This causes the node-slot code to execute upon any import or require of ts-einkle-slot, potentially delivering harmful effects controlled by the attacker. The package's advertised purpose does not justify loading node-slot, indicating malicious intent.
Potential Impact
Any project that installs or imports [email protected] will execute attacker-controlled code from the node-slot dependency without user awareness. This can lead to compromise of the host environment or supply chain contamination. The malicious code is designed to silently swallow errors to avoid detection and maintain functionality as a drop-in replacement for big.js, increasing the risk of unnoticed exploitation.
Mitigation Recommendations
Avoid installing or using the ts-einkle-slot package, especially version 0.0.8. Remove any instances of this package and its transitive dependencies from your projects and lockfiles. Since no official patch or fix is available, rely on package source verification and use trusted package registries. Monitor for any updates or advisories from npm or security databases regarding this package.
MAL-2026-6525: Malicious code in ts-einkle-slot (npm)
Description
The npm package ts-einkle-slot (version 0.0.8) is a malicious package impersonating the legitimate big.js library. It contains injected code that loads and executes a transitive dependency node-slot upon import, which is unrelated to its advertised decimal arithmetic functionality. This behavior is designed to silently execute attacker-controlled code while maintaining the appearance of a legitimate package.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The ts-einkle-slot package published on npm mimics the legitimate big.js package by copying its source and metadata to spoof the publisher identity. However, its CommonJS and ESM entrypoints include injected code that immediately requires and invokes a method from the node-slot module, a transitive dependency introduced solely by this malicious package. This causes the node-slot code to execute upon any import or require of ts-einkle-slot, potentially delivering harmful effects controlled by the attacker. The package's advertised purpose does not justify loading node-slot, indicating malicious intent.
Potential Impact
Any project that installs or imports [email protected] will execute attacker-controlled code from the node-slot dependency without user awareness. This can lead to compromise of the host environment or supply chain contamination. The malicious code is designed to silently swallow errors to avoid detection and maintain functionality as a drop-in replacement for big.js, increasing the risk of unnoticed exploitation.
Mitigation Recommendations
Avoid installing or using the ts-einkle-slot package, especially version 0.0.8. Remove any instances of this package and its transitive dependencies from your projects and lockfiles. Since no official patch or fix is available, rely on package source verification and use trusted package registries. Monitor for any updates or advisories from npm or security databases regarding this package.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- MAL-2026-6525
- Osv Schema Version
- 1.7.4
- Aliases
- []
- Ecosystems
- ["npm"]
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a3ef7aa27e9c79719ffb6a4
Added to database: 06/26/2026, 22:05:30 UTC
Last enriched: 06/26/2026, 22:25:55 UTC
Last updated: 06/27/2026, 00:38:22 UTC
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.