timmytuffknuckles3 @2.0.0
Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 9:46 AM UTC
OSV ID
MAL-2026-10388
Ecosystem
npm
Summary
The package ships twelve heavily obfuscated JavaScript files under assets/ (e.g. assets/3oruu3por5.js, assets/6y4sp7rdhb.js, assets/wlaswqv83p.js), each using hex-mangled identifiers consistent with a JavaScript obfuscator. Obfuscation alone is not proof of malicious behavior, and no install-time lifecycle hook, hardcoded exfiltration endpoint, credential-path read, or remote dropper has been observed in the package contents. The asset files are not visibly invoked from the package's main entry or from a postinstall script in the available evidence. Routing to human review so a reviewer can de-obfuscate the asset bundle and determine whether it is benign tooling output or hides installer-side harm.
Source: amazon-inspector (3ca256e52e28fe9f7cfdd4c0b42e699f1b29c5e141df2ad73d7737f522fc7c85)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.