Feed
HighPublished 18 Jun 2026Updated 22 Jun 20268 packages · 16 versions

`parket-helper` / `ts-ecro` big.js typosquat dropper cluster

Summary

A cluster of npm typosquats impersonating big.js shipped verbatim copies of the legitimate library with a single added five-line require of parket-helper / parket-slot / new-solt — three otherwise-empty utility packages whose entire purpose is to execute attacker-controlled JavaScript at import time. GitHub and npm flagged the eight packages and replaced them with 0.0.1-security holders between 2026-06-18 and 2026-06-19.

typosquatobfuscation
Detected by
GitHub · CIRCL
Also known as
parket loader cluster · big.js typosquat dropper June 2026
Ecosystems
npm
Packages tracked
8

What happened

Between 2026-06-10 and 2026-06-18 a single operator published a small family of npm packages that impersonate big.js (the popular arbitrary-precision decimal library by MikeMcl, ~6M weekly downloads). Each facade package ships a verbatim copy of big.js v7.0.1 — same source, same README author block, same MikeMcl copyright header, same GitHub repository field in package.json — with one addition: a five-line try { require("parket-slot") } catch {} (or require("parket-helper") / require("new-solt")) wrapper injected near the top of the main entry. The loader runs as soon as a downstream project imports the package, executes attacker-controlled code from the helper, and swallows any error so the host application keeps functioning normally.

GitHub Advisory Database (GHSA) issued malware advisories for the eight packages between 2026-06-18 and 2026-06-19 (CWE-506, "Embedded Malicious Code", severity Critical). The npm registry replaced every affected version with a 0.0.1-security holder during the same window. Per npm registry metadata the original publish timeline was:

  • 2026-06-10 17:23 UTC — ts-esys@0.0.5
  • 2026-06-11 07:28 UTC — parket-slot@0.0.6 (the longest-dwelled loader; seven days live before takedown)
  • 2026-06-11 07:37 / 07:38 UTC — ts-ecro@0.0.5, ts-ecro@0.0.6
  • 2026-06-18 11:04 / 11:07 UTC — parket-helper@0.0.1, parket-helper@5.8.1 (the 5.8.x version number is a typosquat for the legitimate big.js release line)
  • 2026-06-18 11:26 / 11:27 UTC — ts-ecro-helper@0.0.1, ts-ecro-helper@5.8.0
  • 2026-06-18 17:43 / 17:44 UTC — ts-big-ecro@0.1.0, ts-big-ecro@3.8.1
  • 2026-06-18 19:35 / 19:54 / 20:32 UTC — new-solt@0.0.7, new-solt@0.0.8, new-solt@0.0.9
  • 2026-06-18 19:41 / 19:57 / 20:33 UTC — new-ecro@0.0.6, new-ecro@0.0.7, new-ecro@0.0.9

Why the manifest mismatch matters

A developer (or scanner) inspecting new-ecro@0.0.9 sees a package.json that declares "dependencies": { "new-solt": "^0.0.8" }. The runtime code, however, calls require("parket-slot"). That mismatch means a registry-side dependency-graph audit (which only reads package.json) never associates new-ecro with the eventually-flagged parket-slot loader — only a runtime trace or a source-level scan catches it. The technique is documented in CIRCL's public MAL-2026-6197 / 6198 / 6199 vulnerability-lookup entries and is described by GHSA reviewers as a "canonical malicious-typosquat dropper pattern": metadata spoofing of a popular library + silent runtime require of a differently-named module than declared + unconditional try/catch error suppression.

Relation to earlier big.js typosquats

This cluster is mechanically similar to the sjs-biginteger / sjs-lint-build1 SSH-backdoor campaign that SafeDep documented on 2026-04-07 (also a big.js verbatim-copy facade plus a sibling-package loader) and to the January 2026 BigSquatRat / bigmathix / bigmathex / bignumx cluster analysed by kmsec.uk (which used a aurevian.cloud C2 to deliver a JS RAT). No public source has attributed the June 2026 parket/ECRO cluster to a named actor; the recurring big.js targeting and the loader-package indirection strongly suggest a continuing operator using the same playbook against a high-value typo target.

The registry holding pages confirm npm completed takedowns within ~21 hours of the first June 18 publish burst. Any project whose lockfile resolved one of the affected versions between the original publish timestamp and the 2026-06-19 08:27 UTC final takedown should be considered exposed.

Affected packages (8)

  • npmnew-ecro
    0.0.60.0.70.0.9
  • npmnew-solt
    0.0.70.0.80.0.9
  • npmparket-helper
    0.0.15.8.1
  • npmparket-slot
    0.0.6
  • npmts-big-ecro
    0.1.03.8.1
  • npmts-ecro
    0.0.50.0.6
  • npmts-ecro-helper
    0.0.15.8.0
  • npmts-esys
    0.0.5

Impact

  • Arbitrary code execution at require() / import time inside any process that pulls the typosquat — no install hook needed, the malicious load runs the moment the module is first imported
  • Manifest spoofing: each facade declares the original big.js repository, author, and copyright in package.json, so casual maintainer review (and most metadata-only scanners) sees an unchanged big.js entry
  • Loader-name laundering: new-ecro declares new-solt@0.0.8 in package.json but the runtime code require()s parket-slot — a name mismatch that hides the actual executing module from anyone who only reads the manifest
  • Error-swallowing try { require(...) } catch {} wrapper around the dropper means the host process keeps running normally, so the operator can re-attempt or pivot without crashing the build
  • Multi-month dwell: parket-slot@0.0.6 was first published 2026-06-11 and only flagged seven days later — any lockfile that resolved a ^0.0.x range during that window picked it up transparently

What to do

  1. 1Grep your lockfile for any of parket-helper, parket-slot, new-solt, ts-ecro, ts-ecro-helper, ts-big-ecro, new-ecro, or ts-esys — none of these have a legitimate use; if found, treat the host as compromised
  2. 2Treat any machine that ran npm install resolving these packages between 2026-06-10 and 2026-06-19 as compromised — rotate npm tokens, SSH keys, cloud credentials, and any browser-extension wallet seeds from a separate clean device
  3. 3If you intended to use big.js, install it from the official MikeMcl/big.js repository (npm install big.js) — none of the ts-*-ecro / *-bign / new-ecro lookalikes are upstream
  4. 4Add parket-helper, parket-slot, and new-solt to your registry mirror denylist — they are pure loader packages with no benign use
  5. 5Audit your dependency tree for indirect pulls: a typosquat-aware scanner (Socket, Snyk, Phylum, SafeDep) flags the manifest-mismatch pattern (require()ing a different name than declared) and is the cheapest broad detection

References

npm-2026-06-18-parket-ecro-bigjs-typosquat-dropper