sixseven9 @1.7.7
Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC
OSV ID
MAL-2026-10381
Ecosystem
npm
Summary
The package declares no install/postinstall/preinstall lifecycle scripts, and its declared main is sw.js — a browser ServiceWorker that uses importScripts , self.addEventListener('install'|'fetch'|'activate') , and self.clients.claim() . Loading it in Node via require() would throw on the browser-only globals before any code ran, so installing this package does not execute any of the bundled assets on a developer's machine. The tarball ships a static 'web unblocker' proxy site (HTML masquerading as 'Riverbend Tutoring' that injects a popunder to https://abdct.com on user click, plus the ServiceWorker that proxies cross-origin fetches and rewrites HTML), along with multiple heavily obfuscated JS bundles under assets/ (e.g. assets/3oruu3por5.js , assets/blhj60cfaf.js , etc.) consistent with that proxy site rather than with a Node library. A bundled auto-publish.sh enumerates a sequential family of package names ( sixseven1 .. sixseven10 ), indicating this publish is part of a name-squat batch on the npm registry. Risk to anyone running npm install sixseven9 is limited to disk usage and registry pollution; the obfuscated assets and ad popunder only affect end users of a hypothetical site that deploys this code, not developers who install the package. Routing to human review so the registry can decide whether to remove the squat batch.
Source: amazon-inspector (b1ed9c23f2c82d9e91d783110274aff10788de9e0e9a783964702ea26c7b1cc4)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.