npm

abuden216 @2.0.0

Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC

Malicious

OSV ID

MAL-2026-10259

Ecosystem

npm

Summary

The tarball ships auto-publish.sh , a script that republishes the same payload under ~100 distinct npm names ( ishowfeet1 - ishowfeet20 , nottuff1 - nottuff30 , abuden* , imillegal* , ratelimitsucks* , etc/) by rewriting package.json.name and running npm publish --silent in a loop — namespace-spam infrastructure shipped inside the package itself. The package's declared main is sw.js , a browser Service Worker ( importScripts('./8cfc2/hgshm.js') , self.addEventListener('install'|'activate'|'fetch'|'message') ) that throws immediately if loaded from Node. The shipped assets are a heavily obfuscated Ultraviolet/bare-mux web-proxy frontend with an index.html themed as "Riverbend Tutoring" that hides a popunder redirect to https://abdct.com/ on click/keydown/touchstart. package.json declares no preinstall / install / postinstall / prepare hooks, and require('ishowfeet9') from Node fails before any code runs, so a Node installer experiences no auto-execution. The harm is registry abuse (mass-publication of a misleading name family) and a browser-side proxy/popunder served to whoever later loads these static assets — not installer-side compromise. Routing to human review for namespace-abuse adjudication.

Source: amazon-inspector (136d8dabbba25b7fb10fa921d1eafe01d4f6710465dfc33ad213f02043973b49)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.