timmytuffknuckles6 @2.0.0
Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 9:46 AM UTC
OSV ID
MAL-2026-10389
Ecosystem
npm
Summary
This package is not a Node.js library. package.json declares "main": "sw.js" , a Service Worker that calls importScripts('./8cfc2/hgshm.js') — an API that does not exist in Node, so require('timmytuffknuckles6') throws immediately and the bundled obfuscated assets never execute on the installer's machine. The tarball contents are a school-unblocker / bare-mux web proxy bundle (index.html, multiple obfuscated assets/*.js files, WASM) wrapped in a Riverbend Tutoring cover page that, when served and visited in a browser, loads third-party scripts and opens popunders to external sites. There are no preinstall / install / postinstall lifecycle scripts, and no top-level Node-reachable code path that runs on install or require. The repository also ships auto-publish.sh , an author-run loop that rewrites package.json.name to timmytuffknuckles1 .. timmytuffknuckles10 and republishes the same payload under each name, polluting the npm namespace with ten clones. The script is not a lifecycle hook and does not run on install. The heavy obfuscation in assets/*.js is consistent with the Ultraviolet/bare-mux proxy framework these projects use, not with installer-side harm. Routing to human review because the package is registry-misuse (proxy webapp masquerading as an npm library, plus deliberate ten-name namespace squatting) even though it does not attack installers.
Source: amazon-inspector (22ef6fa6c2b9f80d6a1f79e532a9d9ea083a1c662bc834d118879ba630842b0c)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.