{"id":"MAL-2026-6129","summary":"Malicious code in abuden22 (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (1c6b2d1b9158b6a3652850cdee84fd448567fc6d8187e685ee0b85eb8d594f57)\nThe tarball contains a static-site bundle (index.html, obfuscated asset chunks, service worker sw.js, and the MercuryWorkshop/Scramjet web-proxy bundle under 8cfc2/hgshm.js). The package's declared main entry is sw.js, which is a browser ServiceWorker (uses importScripts and self.addEventListener('install'|'activate'|'fetch'|'message')) and cannot run in Node — require()/import in Node throws on those globals. There are no preinstall/install/postinstall lifecycle hooks; only a `test` script is declared. The tarball also ships auto-publish.sh, a bash loop that copies the package contents into temp directories and republishes them under sequential names (ratelimitsucks, ratelimitsucks1,...) via `npm publish --silent`, using the author's own ambient credentials. This script is not referenced by any lifecycle hook or bin entry and does not execute on `npm install`. index.html also contains a browser-side popunder that opens https://abdct.com/ on the first user gesture, which only affects visitors to a deployed copy of the static site, not developers who install the package. The heavily obfuscated JS files under assets/ are part of the Scramjet web-proxy bundle. There is no Node-reachable code path that exfiltrates data, fetches remote payloads at install/import, or otherwise harms the installer's environment. The package is registry/CDN abuse and typosquat-style mass publishing rather than a supply-chain attack against installers.\n","modified":"2026-06-18T17:16:45.623643646Z","published":"2026-06-18T16:29:47Z","database_specific":{"malicious-packages-origins":[{"sha256":"1c6b2d1b9158b6a3652850cdee84fd448567fc6d8187e685ee0b85eb8d594f57","modified_time":"2026-06-18T16:29:47Z","source":"amazon-inspector","id":"IN-MAL-2026-007008","import_time":"2026-06-18T17:08:48.037163716Z","versions":["1.7.7"]}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/abuden22/v/1.7.7"}],"affected":[{"package":{"name":"abuden22","ecosystem":"npm","purl":"pkg:npm/abuden22"},"versions":["1.7.7"],"database_specific":{"cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/abuden22/MAL-2026-6129.json","indicators":{"evidence_files":[{"path":"sw.js","sha256":"bb00271669f18ad7ee9e0b7d2db0a8285e4a0cd1431676839878d4eb93619d12","tlsh":"98f1629878f611f1425741acc75b6624303be097398bc896bfbc8f102f8639989e37d9"},{"path":"auto-publish.sh","sha256":"531f9f053e08a20d7b414c57a06140b8783bf87d8b5fdc225028a92757735579","tlsh":"785174816a6f553c1f0b44fcfacb00a0621a972b196d3d19b5df8098ff6d36c701a6d8"},{"path":"index.html","sha256":"f184e7a00feeeb351e64f9d6ced030eb58efa8493c49b081dee9b3c0fc46b23c","tlsh":"2d226507fee295325673112dbb2a7180ff31810b62158d44b9ed539c2f06a6ac7f36ad"}],"package_integrity":[{"hashes":{"sha1":"40cbe9ea4ba92a8883d2cbe006a3bb78bb6a04a6","sha512_sri":"sha512-kneZS3DaX+idrXwr274xgs7u/BjtK/bPD69H5bzmCxbLLHvyiszx/k+CRXj/L3p13o0aKliMD6s4bUbOd8ZMhQ=="},"filename":"abuden22-1.7.7.tgz"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}