sixseven10 @1.7.7
Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC
OSV ID
MAL-2026-10373
Ecosystem
npm
Summary
The package declares no install/postinstall/preinstall lifecycle scripts, and its declared main is sw.js — a browser ServiceWorker that uses importScripts , self.addEventListener('install'|'fetch'|'activate') , and self.clients.claim() . Loading it in Node via require() would throw on the browser-only globals before any code ran, so installing this package does not execute any of the bundled assets on a developer's machine. The tarball ships a static 'web unblocker' proxy site (HTML masquerading as 'Riverbend Tutoring' that injects a popunder to https://abdct.com on user click, plus the ServiceWorker that proxies cross-origin fetches and rewrites HTML), along with multiple heavily obfuscated JS bundles under assets/ (e.g. assets/3oruu3por5.js , assets/blhj60cfaf.js , etc.) consistent with that proxy site rather than with a Node library. A bundled auto-publish.sh enumerates a sequential family of package names ( sixseven1 .. sixseven10 ), indicating this publish is part of a name-squat batch on the npm registry. Risk to anyone running npm install sixseven9 is limited to disk usage and registry pollution; the obfuscated assets and ad popunder only affect end users of a hypothetical site that deploys this code, not developers who install the package. Routing to human review so the registry can decide whether to remove the squat batch.
Source: amazon-inspector (21936e53270838d4901646de1e1c3eef9212055032d3cead428cbf3bfd60b9ed)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.