npm

timmytuffknuckles9 @2.0.0

Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 9:46 AM UTC

Malicious

OSV ID

MAL-2026-10390

Ecosystem

npm

Summary

Package is not a Node library — package.json declares main: sw.js , a browser Service Worker whose first line calls importScripts('./8cfc2/hgshm.js') . importScripts is undefined in Node, so require('timmytuffknuckles9') throws immediately. No preinstall , install , postinstall , or prepare lifecycle scripts are declared, so npm install does not execute any package code. The tarball contains a bundled web app (a Lucide-style web proxy/unblocker) with heavily obfuscated JS assets and a popup ad redirect to abdct.com , but those run only inside a browser that loads the Service Worker — not on the developer's machine. Separately, the tarball ships auto-publish.sh , a helper that rewrites package.json.name in a loop to timmytuffknuckles1 through timmytuffknuckles10 and runs npm publish for each, evidence that the publisher is using npm as a hosting/CDN-style namespace and mass-publishing near-duplicate package names. This script is not wired to any lifecycle hook and does not run on install. Routing to human review for registry-hygiene assessment (off-purpose use of npm + namespace spam + heavily obfuscated bundled assets) rather than installer-harm.

Source: amazon-inspector (342d7a44db99769023685647376a6042d5a9b345c281826484c9d88561f245ca)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.