npm

speed5 @2.0.0

Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC

Malicious

OSV ID

MAL-2026-10385

Ecosystem

npm

Summary

speed3@1.1.7 is not a functional Node package. package.json declares main: sw.js , but sw.js is a browser ServiceWorker ( importScripts('./8cfc2/hgshm.js') , self.addEventListener('install'|'activate'|'fetch'|'message') ) — require('speed3') throws immediately in Node, so there is no install-time or import-time code-execution path that touches the installer. The tarball bundles a static web-proxy frontend (bare-mux / Ultraviolet / Scramjet stack, confirmed by bare-mux: running v2.1.9 in d1g0y/xsv4z.js) plus an index.html popunder that opens https://abdct.com/ on user click/keydown/touchstart with a 15-minute cooldown — browser behavior for visitors of the deployed site, not npm consumers. The tarball also ships auto-publish.sh ( BASE="speed"; TOTAL=5; PARALLEL=2;... pkg.name = '$NAME'; npm publish --silent ), and the recursive nested directories tmp_speed2/ and tmp_speed2/tmp_speed1/ inside the published tarball are direct evidence the author ran the script to mass-publish speed1..speed5 typosquat names. The many heavily-obfuscated assets/*.js files are browser bundles loaded by the deployed index.html and are not reachable from any Node entry point. Routing to human review for namespace-abuse adjudication: the lure is non-functional and the bundled obfuscated assets cannot be fully audited, so a reviewer should confirm the typosquat campaign and request takedown across the speedN family.

Source: amazon-inspector (1eec0d2d56f1e9730af8b7f3a7b8897e86491d48663f7b09ae7c716f6b3c0092)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.