{"id":"MAL-2026-5916","summary":"Malicious code in nottuff25 (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (238a4f56f3433bf34de372e9a26264a33e33c6bde8592ddc73594d33ab7427f0)\nThe tarball is not a Node library. `package.json` declares `main: sw.js` with description `\"package\"` and an empty author; `sw.js` is a browser ServiceWorker (`importScripts('./8cfc2/hgshm.js')`, `self.skipWaiting()`, `self.clients`, fetch interception) that has no meaning when consumed via `require('nottuff25')` in Node. The shipped static site bundles the Mercury Workshop Scramjet web proxy plus bare-mux, branded as \"Riverbend Tutoring\" while pointing `og:url` at `21baseballacademy.com` — a misrepresentation of what the npm name advertises. The tarball also ships `auto-publish.sh`, a bash script with a hardcoded list of 95+ sibling package names (nottuff1-30, ishowfeet1-20, imillegal1-5, abuden*, ratelimitsucks*) that rewrites `package.json` and runs `npm publish --silent` in a loop — the attacker's own mass-publication pipeline shipped inside the artifact, with the current package name `nottuff25` appearing as a literal entry in that list. `index.html` additionally registers click/keydown/touchstart listeners that open `https://abdct.com/` as a popunder on first interaction (browser-side adware, not installer-side). No install/require-time exfil, RCE, or credential theft is present, but this is a coordinated namespace-pollution campaign and the package misrepresents itself to npm consumers.\n","modified":"2026-06-16T20:01:50.128330795Z","published":"2026-06-16T19:27:25Z","database_specific":{"malicious-packages-origins":[{"versions":["1.7.7"],"source":"amazon-inspector","sha256":"238a4f56f3433bf34de372e9a26264a33e33c6bde8592ddc73594d33ab7427f0","modified_time":"2026-06-16T19:27:25Z","import_time":"2026-06-16T19:46:15.266329323Z","id":"IN-MAL-2026-006819"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/nottuff25/v/1.7.7"}],"affected":[{"package":{"name":"nottuff25","ecosystem":"npm","purl":"pkg:npm/nottuff25"},"versions":["1.7.7"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/nottuff25/MAL-2026-5916.json","indicators":{"evidence_files":[{"path":"auto-publish.sh","sha256":"eac36a0d7e3ef6116faba93afc7185a3bd0e8a3e867869c0b17cc56754ab8c5c","tlsh":"2661521c0d19ff360b8be4fba9d2e8e13105ae66d6542913b4bf4c44ab6bb71f059090"},{"tlsh":"45d0a7681d40a52315c585171c2894567220df1f1444780953df282c419eab35cf635d","sha256":"8bc6b5f28f78770058df141fa2c8e5c73211989cc00089b99ba6abf6571be356","path":"package.json"},{"tlsh":"2d226507fee295325673112dbb2a7180ff31810b62158d44b9ed539c2f06a6ac7f36ad","sha256":"f184e7a00feeeb351e64f9d6ced030eb58efa8493c49b081dee9b3c0fc46b23c","path":"index.html"}],"package_integrity":[{"hashes":{"sha1":"7601145a5e09796c48ae385999a9d9e18d4d71f9","sha512_sri":"sha512-il4K6NNsw4Q4OB8z7yWty0EcNz6pomcPn9FRnoG8Cufa4fmEy57U5BWkhq42+cal0s1IM5ByLeVsF8MBTmN7EA=="},"filename":"nottuff25-1.7.7.tgz"}]},"cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}