Which versions of new-ecro-1 are malicious?

The following npm versions of new-ecro-1 are flagged malicious: 0.1.9, 0.3.9. Treat any of these as compromised.

How do I remediate new-ecro-1 if I installed it?

Remove new-ecro-1 from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is new-ecro-1 part of a known attack campaign?

Yes — new-ecro-1 is associated with the IN-MAL-2026-007060, IN-MAL-2026-007061 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect new-ecro-1 in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking new-ecro-1 and packages like it before any post-install script runs.

Malicious package

new-ecro-1npm

Malicious code in new-ecro-1 (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-6198

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall new-ecro-1

What this malware does

Package new-ecro-1 impersonates the legitimate big.js library by shipping its source verbatim (banner, license, and homepage pointing at MikeMcl/big.js). Inside the load-time IIFE in both big.js and big.mjs at line 606, an injected block silently executes const doc = require("parket-slot"); doc.from_str().then(e => {}).catch(e => {}), wrapped in a try/catch that swallows all errors. The parket-slot package is not declared in this manifest's dependencies (which instead lists new-solt-1), so the require resolves to whatever loader-controlled package happens to be present in the surrounding install tree, executing its from_str() on import. The combination of name-impersonation, undeclared cross-package require, and silent error suppression is a loader stub for attacker-controlled code that runs the moment any consumer imports this module.

Malicious versions

2 flagged

0.1.90.3.9

Indicators of compromise (SHA-256)

01b0b55fd906ade779ab708144b0becba338debc03c56a2fe0b6468b1d12808e

0c4e172aa83f2b8742fb014ea649490c87815573cab692ea74eb402ee23f935c

Frequently asked questions

No. new-ecro-1 on npm has been identified as a malicious package (versions 0.1.9, 0.3.9 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-007060IN-MAL-2026-007061

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection