npm

nottuff23 @2.0.0

Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC

Malicious

OSV ID

MAL-2026-5915

Ecosystem

npm

Summary

The package is one of approximately 100 identically-named-pattern publishes from an automated bulk-publish operation. The tarball ships auto-publish.sh , which hard-codes a list of sibling names ( nottuff1..30 , ishowfeet1..20 , imillegal1..5 , abuden* , ratelimitsucks* nottuff23 is on the list) and republishes the same payload to each name by rewriting package.json.name and running npm publish --silent . The shipped content is not a Node library: package.json.main points at sw.js , a browser service worker that uses importScripts , self.addEventListener('install'|'activate'|'fetch'|'message',...) — APIs that do not exist in Node and would throw if require() 'd. The bundled obfuscated assets/*.js files are a dormant Ultraviolet-style web-proxy frontend, plus an index.html titled "Riverbend Tutoring" that loads remote scripts from cdn.21baseballacademy.com and googletagmanager.com and opens https://abdct.com/ on click. There are no npm lifecycle hooks ( scripts contains only a no-op test ); npm install and require() execute no code from this package. Installer-side risk on default install is effectively zero, but the package is registry-namespace abuse: bulk-published spam under squatted names, with heavily obfuscated browser payloads whose intent at the eventual deployment site is not verifiable from this tarball alone. Routing to human review for namespace-abuse / registry-spam disposition.

Source: amazon-inspector (41d429b099904a530f5dc4dfdd4724b7b6160c1de1330e0b103e8b8e3c737dfd)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.