{"id":"MAL-2026-5915","summary":"Malicious code in nottuff23 (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (41d429b099904a530f5dc4dfdd4724b7b6160c1de1330e0b103e8b8e3c737dfd)\nThe package is one of approximately 100 identically-named-pattern publishes from an automated bulk-publish operation. The tarball ships `auto-publish.sh`, which hard-codes a list of sibling names (`nottuff1..30`, `ishowfeet1..20`, `imillegal1..5`, `abuden*`, `ratelimitsucks*` — `nottuff23` is on the list) and republishes the same payload to each name by rewriting `package.json.name` and running `npm publish --silent`. The shipped content is not a Node library: `package.json.main` points at `sw.js`, a browser service worker that uses `importScripts`, `self.addEventListener('install'|'activate'|'fetch'|'message',...)` — APIs that do not exist in Node and would throw if `require()`'d. The bundled obfuscated `assets/*.js` files are a dormant Ultraviolet-style web-proxy frontend, plus an `index.html` titled \"Riverbend Tutoring\" that loads remote scripts from `cdn.21baseballacademy.com` and `googletagmanager.com` and opens `https://abdct.com/` on click. There are no npm lifecycle hooks (`scripts` contains only a no-op `test`); `npm install` and `require()` execute no code from this package. Installer-side risk on default install is effectively zero, but the package is registry-namespace abuse: bulk-published spam under squatted names, with heavily obfuscated browser payloads whose intent at the eventual deployment site is not verifiable from this tarball alone. Routing to human review for namespace-abuse / registry-spam disposition.\n","modified":"2026-06-16T20:01:50.010588017Z","published":"2026-06-16T19:27:26Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-006820","import_time":"2026-06-16T19:46:15.319472083Z","source":"amazon-inspector","versions":["1.7.7"],"sha256":"41d429b099904a530f5dc4dfdd4724b7b6160c1de1330e0b103e8b8e3c737dfd","modified_time":"2026-06-16T19:27:26Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/nottuff23/v/1.7.7"}],"affected":[{"package":{"name":"nottuff23","ecosystem":"npm","purl":"pkg:npm/nottuff23"},"versions":["1.7.7"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/nottuff23/MAL-2026-5915.json","indicators":{"evidence_files":[{"path":"auto-publish.sh","sha256":"eac36a0d7e3ef6116faba93afc7185a3bd0e8a3e867869c0b17cc56754ab8c5c","tlsh":"2661521c0d19ff360b8be4fba9d2e8e13105ae66d6542913b4bf4c44ab6bb71f059090"},{"sha256":"bb00271669f18ad7ee9e0b7d2db0a8285e4a0cd1431676839878d4eb93619d12","path":"sw.js","tlsh":"98f1629878f611f1425741acc75b6624303be097398bc896bfbc8f102f8639989e37d9"},{"sha256":"6f27d1cad4ef020e2954c34e92a0e4491102e51b8a339a5c889224f1470ea601","path":"package.json","tlsh":"dfd0a7681d40952315c5851a1c2894567220df1f1484380d53df182c419ea735cf635d"}],"package_integrity":[{"hashes":{"sha512_sri":"sha512-rctDIa0u9MbIlyI0MWzqapp0jqkZmUYrDFr42DBeKcFLOjUYNwm2vxbdg6xnvA1mazEdzsJ1xNYApv4Cq+VkmQ==","sha1":"5caa90e361157666647d437071c4a7309472d56d"},"filename":"nottuff23-1.7.7.tgz"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}