ratelimitsucks @2.0.0
Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC
OSV ID
MAL-2026-6135
Ecosystem
npm
Summary
Package is not a library. main points at sw.js , a browser Service Worker that uses importScripts , self.addEventListener('fetch'|'install'|'activate') , and self.clients.claim() — all undefined in Node, so require('ratelimitsucks') throws on the first line. There are no install lifecycle hooks ( scripts only declares test ), so npm install of this package does not auto-execute any code on the installer's machine. The shipped contents are a school-filter-bypass web proxy (12 heavily obfuscated assets/*.js files with hex-mangled identifiers, a Service Worker that rewrites HTML responses and intercepts navigation), an index.html cover page ("Riverbend Tutoring") that loads a third-party script from cdn.21baseballacademy.com and opens a popunder to abdct.com , and an auto-publish.sh script that loops i=1..10, rewrites package.json.name to ratelimitsucks , ratelimitsucks1 ,..., ratelimitsucks9 , and runs npm publish for each — the author's own mass-publication pipeline shipped inside the tarball. Direct harm to a developer who installs this package is effectively nil (no hooks, no require-safe entry point). The harms are (a) abuse of the npm registry as a CDN for an unrelated proxy site, (b) demonstrated typosquat-name-squatting intent across 10 sibling names, and (c) a popunder ad redirect served from the cover page. Routing to human review for unpublish/registry-abuse handling rather than blocking as an installer-side supply-chain attack.
Source: amazon-inspector (44ed99ce54c3f8b6fa4f1bfa207a593bbf0d441c9eeee7d29dbc991098f8e12f)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.