VDB
GCVE-110-OSM-2026-6516
GCVE-110-OSM-2026-6516
Advisory PublishedCVSS 9.6/10
The publisher 'polyx' has a malicious ratio of 0.67 (6 of 9 checked packages confirmed malicious in OSM), including critical-severity packages eslint-helper-1, new-helper, and new-ts-helper. Critically, this package directly depends on 'new-helper', which is itself flagged as malicious in OSM — meaning the malicious payload is likely delivered transitively through that dependency rather than embedded in the big.js source code clone. The package masquerades as the legitimate big.js library (same description, author name, version 5.8.0, GitHub repository URL) — a classic typosquatting/brandjacking attack pattern. The 4-day-old burner account with 10 packages showing near-duplicate names is a hallmark of a malicious campaign using a throwaway publisher identity. The entrypoint file appears to be a clean copy of big.js used as camouflage, but the malicious dependency 'new-helper' provides the actual attack vector.
ENTRY
big.mjs (main: big.mjs)
ADDITIONAL FINDINGS
- Publisher Has Other Malicious Packages
- Malicious Dependency Detected (OSM) in package.json
- Very New NPM Publisher Account
- Publisher Shows Burner-Account Pattern
- Malicious Dependency Detected in package.json
INDICATORS (IOCs)
- urls: http://mikemcl.github.io/big.js/, https://deno.land/, https://opencollective.com/bigjs, https://www.coinbase.com/
- domains: mikemcl.github.io, www.coinbase.com, deno.land
- emails: start@yc.length, adding@yc.length
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | new-ecro-helper | 5.8.0 (affected) | — |
Browse GCVE Records
73,280 records in the GCVE database · Updated July 17, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.