npm

abuden22 @2.0.0

Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC

Malicious

OSV ID

MAL-2026-6129

Ecosystem

npm

Summary

The tarball contains a static-site bundle (index.html, obfuscated asset chunks, service worker sw.js, and the MercuryWorkshop/Scramjet web-proxy bundle under 8cfc2/hgshm.js). The package's declared main entry is sw.js, which is a browser ServiceWorker (uses importScripts and self.addEventListener('install'|'activate'|'fetch'|'message')) and cannot run in Node — require()/import in Node throws on those globals. There are no preinstall/install/postinstall lifecycle hooks; only a test script is declared. The tarball also ships auto-publish.sh, a bash loop that copies the package contents into temp directories and republishes them under sequential names (ratelimitsucks, ratelimitsucks1,...) via npm publish --silent , using the author's own ambient credentials. This script is not referenced by any lifecycle hook or bin entry and does not execute on npm install . index.html also contains a browser-side popunder that opens https://abdct.com/ on the first user gesture, which only affects visitors to a deployed copy of the static site, not developers who install the package. The heavily obfuscated JS files under assets/ are part of the Scramjet web-proxy bundle. There is no Node-reachable code path that exfiltrates data, fetches remote payloads at install/import, or otherwise harms the installer's environment. The package is registry/CDN abuse and typosquat-style mass publishing rather than a supply-chain attack against installers.

Source: amazon-inspector (1c6b2d1b9158b6a3652850cdee84fd448567fc6d8187e685ee0b85eb8d594f57)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.