OSV ID
MAL-2026-5937
Ecosystem
npm
Summary
The tarball ships auto-publish.sh , which iterates a hardcoded list of ~90 unrelated package names ( imillegal1..N , ishowfeet* , nottuff* , abuden* , ratelimitsucks* ) and runs npm publish --silent for each, republishing the same payload under each name. The payload is a browser SPA (Mercury/Scramjet-style web proxy with a Lucide UI) plus heavily obfuscated JS bundles in assets/*.js . package.json has no preinstall / install / postinstall hooks and no bin ; the declared main is a browser service worker ( sw.js ) that calls importScripts / self and throws immediately under Node, so npm install abuden21 and require('abuden21') perform no code execution against the installer. The bundled index.html (and a duplicate inside logo.svg ) registers click/keydown/touchstart handlers that open https://abdct.com/ as a popunder on first user gesture when the SPA is served in a browser — monetisation of the web-proxy front-end, not installer-side harm. No credential reads, no outbound exfiltration on install, no RCE, no dropper. The behaviour of concern is namespace pollution: the same tarball is mass-published across many unrelated names to squat the npm namespace and ride traffic / typo'd installs. Routing to human review for namespace-abuse handling; this is not a direct supply-chain attack on installers but is an abuse pattern the registry/feed maintainers may want to act on.
Source: amazon-inspector (4db5b16c4a10377beb73341758a26afed16a44d377dc03009601f610dd289b22)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.