{"id":"MAL-2026-5918","summary":"Malicious code in nottuff7 (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (014548171545d3357baafaf1ec9c1755860bacdcf94b42161d8e32b0c94ab3c8)\nThis package is one of ~95 names in a coordinated spam-publication family (nottuff1-30, ishowfeet1-20, imillegal1-5, abuden*, ratelimitsucks*) republishing the same Scramjet web-proxy payload as a static site. The tarball includes auto-publish.sh which iterates the name list and runs `npm publish` for each, documenting the registry-pollution intent. The package's declared main entry `sw.js` is a browser ServiceWorker (`importScripts('./8cfc2/hgshm.js')`, `self.addEventListener('install'|'fetch'|...)`) — it cannot execute under Node, so `npm install` and `require()` produce no installer-side code execution and there are no lifecycle hooks. Heavily obfuscated bundles in assets/*.js are loaded only when the assets are served to a browser via an npm CDN (unpkg/jsdelivr), which appears to be the actual distribution channel — letting users bypass web filters by reaching the proxy through registry-CDN hostnames. The cover page (index.html, titled 'Riverbend Tutoring') ships a click/keydown/touchstart popunder opening https://abdct.com/, indicating ad-monetization motive. No installer credential theft, no exfiltration, no install-time RCE.\n","modified":"2026-06-16T20:01:50.669136314Z","published":"2026-06-16T19:27:27Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-006821","versions":["1.7.7"],"source":"amazon-inspector","sha256":"014548171545d3357baafaf1ec9c1755860bacdcf94b42161d8e32b0c94ab3c8","import_time":"2026-06-16T19:46:15.392786095Z","modified_time":"2026-06-16T19:27:27Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/nottuff7/v/1.7.7"}],"affected":[{"package":{"name":"nottuff7","ecosystem":"npm","purl":"pkg:npm/nottuff7"},"versions":["1.7.7"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/nottuff7/MAL-2026-5918.json","cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"indicators":{"package_integrity":[{"filename":"nottuff7-1.7.7.tgz","hashes":{"sha512_sri":"sha512-pDwerf98zC9jkboorZ8aXXdAKwGrKxYp3AM2vdP1J1GrRNVZumjz9YVCbA5wFAx7e7Wa/8tRWioy9iHycXHkWw==","sha1":"37bc3e2d8732957a23f029c58cde1d0a9971b669"}}],"evidence_files":[{"sha256":"eac36a0d7e3ef6116faba93afc7185a3bd0e8a3e867869c0b17cc56754ab8c5c","tlsh":"2661521c0d19ff360b8be4fba9d2e8e13105ae66d6542913b4bf4c44ab6bb71f059090","path":"auto-publish.sh"},{"tlsh":"98f1629878f611f1425741acc75b6624303be097398bc896bfbc8f102f8639989e37d9","sha256":"bb00271669f18ad7ee9e0b7d2db0a8285e4a0cd1431676839878d4eb93619d12","path":"sw.js"},{"tlsh":"2d226507fee295325673112dbb2a7180ff31810b62158d44b9ed539c2f06a6ac7f36ad","sha256":"f184e7a00feeeb351e64f9d6ced030eb58efa8493c49b081dee9b3c0fc46b23c","path":"index.html"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}