Which versions of ts-ecro are malicious?

The following npm versions of ts-ecro are flagged malicious: 0.0.5, 0.0.6. Treat any of these as compromised.

How do I remediate ts-ecro if I installed it?

Remove ts-ecro from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is ts-ecro part of a known attack campaign?

Yes — ts-ecro is associated with the IN-MAL-2026-005741, IN-MAL-2026-005744, IN-MAL-2026-005743, IN-MAL-2026-005742 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect ts-ecro in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking ts-ecro and packages like it before any post-install script runs.

Malicious package

ts-ecronpm

Malicious code in ts-ecro (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5647

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall ts-ecro

What this malware does

Package is published as 'ts-ecro' but ships a verbatim copy of big.js v7.0.1 with the original author's copyright, email, and GitHub repository URL — a typosquat/impersonation façade for the upstream big.js library. At module top-level, the entrypoint require()s a sibling attacker-controlled package and immediately invokes its from_str() method, executing arbitrary code from that dependency on every import. The CommonJS variant (big.js:606-608) loads 'websocket-slot' and calls doc.from_str().then(...).catch(...); the ESM variant (big.mjs:606-608) wraps require("parket-slot") + doc.from_str() in a try/catch that swallows errors so the import appears clean. package.json declares 'parket-slot': '^0.0.6' as a runtime dependency, ensuring the loader executes on a default install. The genuine big.js library has no such require call — the loader is appended on top of an otherwise-legitimate codebase to disguise the attack. Any project that installs and imports this package automatically runs whatever code parket-slot / websocket-slot ships, with attacker control over those packages' contents.

Malicious versions

2 flagged

0.0.50.0.6

Indicators of compromise (SHA-256)

37901692194f47c987610aab18ef37d4361e8ab01efd1a8008876920dd8b8aa2

6c0bc0efa5cfcc82b1f5b92bdbe69263b1da4cd9430a12c3e115e32002deda7e

8f2e942dcd86b8cef2bd0eb8809553bdd339bfc9c30b23ed3908df264a28fac0

f7dba297ddf69a33859e42330e69aefaba884b2893aae47b98d531129c45d212

Frequently asked questions

No. ts-ecro on npm has been identified as a malicious package (versions 0.0.5, 0.0.6 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005741IN-MAL-2026-005744IN-MAL-2026-005743IN-MAL-2026-005742

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection