npm

sixseven5 @2.0.0

Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC

Malicious

OSV ID

MAL-2026-10377

Ecosystem

npm

Summary

The package declares no install/postinstall/preinstall lifecycle scripts, and its declared main is sw.js — a browser ServiceWorker that uses importScripts , self.addEventListener('install'|'fetch'|'activate') , and self.clients.claim() . Loading it in Node via require() would throw on the browser-only globals before any code ran, so installing this package does not execute any of the bundled assets on a developer's machine. The tarball ships a static 'web unblocker' proxy site (HTML masquerading as 'Riverbend Tutoring' that injects a popunder to https://abdct.com on user click, plus the ServiceWorker that proxies cross-origin fetches and rewrites HTML), along with multiple heavily obfuscated JS bundles under assets/ (e.g. assets/3oruu3por5.js , assets/blhj60cfaf.js , etc.) consistent with that proxy site rather than with a Node library. A bundled auto-publish.sh enumerates a sequential family of package names ( sixseven1 .. sixseven10 ), indicating this publish is part of a name-squat batch on the npm registry. Risk to anyone running npm install sixseven9 is limited to disk usage and registry pollution; the obfuscated assets and ad popunder only affect end users of a hypothetical site that deploys this code, not developers who install the package. Routing to human review so the registry can decide whether to remove the squat batch.

Source: amazon-inspector (5ff6db681456253158f47c4b36f5d7aa03089ec629cd7d0b0246a9ab6c871efa)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.