abuden210 @2.0.0
Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC
OSV ID
MAL-2026-10253
Ecosystem
npm
Summary
The tarball ships auto-publish.sh , a script that republishes the same payload under ~100 distinct npm names ( ishowfeet1 - ishowfeet20 , nottuff1 - nottuff30 , abuden* , imillegal* , ratelimitsucks* , etc/) by rewriting package.json.name and running npm publish --silent in a loop — namespace-spam infrastructure shipped inside the package itself. The package's declared main is sw.js , a browser Service Worker ( importScripts('./8cfc2/hgshm.js') , self.addEventListener('install'|'activate'|'fetch'|'message') ) that throws immediately if loaded from Node. The shipped assets are a heavily obfuscated Ultraviolet/bare-mux web-proxy frontend with an index.html themed as "Riverbend Tutoring" that hides a popunder redirect to https://abdct.com/ on click/keydown/touchstart. package.json declares no preinstall / install / postinstall / prepare hooks, and require('ishowfeet9') from Node fails before any code runs, so a Node installer experiences no auto-execution. The harm is registry abuse (mass-publication of a misleading name family) and a browser-side proxy/popunder served to whoever later loads these static assets — not installer-side compromise. Routing to human review for namespace-abuse adjudication.
Source: amazon-inspector (368c280a0e86d6d687aa5789a4bca9daeacd64666dc6954dd729a7549f506a59)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.