nottuff25 @2.0.0
Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC
OSV ID
MAL-2026-5916
Ecosystem
npm
Summary
The tarball is not a Node library. package.json declares main: sw.js with description "package" and an empty author; sw.js is a browser ServiceWorker ( importScripts('./8cfc2/hgshm.js') , self.skipWaiting() , self.clients , fetch interception) that has no meaning when consumed via require('nottuff25') in Node. The shipped static site bundles the Mercury Workshop Scramjet web proxy plus bare-mux, branded as "Riverbend Tutoring" while pointing og:url at 21baseballacademy.com — a misrepresentation of what the npm name advertises. The tarball also ships auto-publish.sh , a bash script with a hardcoded list of 95+ sibling package names (nottuff1-30, ishowfeet1-20, imillegal1-5, abuden*, ratelimitsucks*) that rewrites package.json and runs npm publish --silent in a loop — the attacker's own mass-publication pipeline shipped inside the artifact, with the current package name nottuff25 appearing as a literal entry in that list. index.html additionally registers click/keydown/touchstart listeners that open https://abdct.com/ as a popunder on first interaction (browser-side adware, not installer-side). No install/require-time exfil, RCE, or credential theft is present, but this is a coordinated namespace-pollution campaign and the package misrepresents itself to npm consumers.
Source: amazon-inspector (238a4f56f3433bf34de372e9a26264a33e33c6bde8592ddc73594d33ab7427f0)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.