{"id":"MAL-2026-6130","summary":"Malicious code in abuden221 (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (fbd19b84f2238fb96214c792d294b1ac0e114103c238ddf040a7960377d78f90)\nThe tarball is a static-site / web-proxy build (index.html, /assets/*.js bundles with obfuscated names, a.well-known/discord verification file, branding) rather than a Node.js library. package.json declares main: sw.js, but sw.js is a browser ServiceWorker that calls importScripts('./8cfc2/hgshm.js') — a global that does not exist in Node, so require()-ing this package throws before any code runs. There are no preinstall/install/postinstall/prepare lifecycle hooks, no Node-reachable network I/O, credential reads, or shell execution, so installing the package does not produce installer-side harm. The bundled service worker is an Ultraviolet-style web proxy that, when deployed in a browser, injects a script into proxied HTML responses to redirect window.open / anchor clicks / form submits via postMessage — hostile to users of a deployed proxy site, not to npm installers. The tarball also ships auto-publish.sh, a loop that copies the project to a temp dir, rewrites package.json.name through 10 sequential names (ratelimitsucks, ratelimitsucks1..ratelimitsucks9), and runs `npm publish --silent` in parallel — registry-namespace-spam tooling. The script is not wired to any lifecycle hook and does not run on install. Obfuscated bundles under assets/ are typical for a deployed proxy frontend and do not execute in Node. Routed to human review because the package is misusing npm as static hosting and documents intent to mass-publish duplicates under sequential names; this is registry abuse worth a maintainer/registry response, but not a supply-chain attack against installers.\n","modified":"2026-06-18T17:16:45.692455275Z","published":"2026-06-18T16:29:47Z","database_specific":{"malicious-packages-origins":[{"source":"amazon-inspector","versions":["1.7.7"],"import_time":"2026-06-18T17:08:48.088047189Z","modified_time":"2026-06-18T16:29:47Z","sha256":"fbd19b84f2238fb96214c792d294b1ac0e114103c238ddf040a7960377d78f90","id":"IN-MAL-2026-007009"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/abuden221/v/1.7.7"}],"affected":[{"package":{"name":"abuden221","ecosystem":"npm","purl":"pkg:npm/abuden221"},"versions":["1.7.7"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/abuden221/MAL-2026-6130.json","indicators":{"package_integrity":[{"hashes":{"sha512_sri":"sha512-u64HHiRWrVljng1g8IQoT2gKl6wwvlVUdLNWMspWHFNeb9qe1gb0mc4kGXmcd3K+4pF/Sj0x+RlHvrJat8fU5w==","sha1":"94ed24ccb203358fb4d138840813dffa69cb901b"},"filename":"abuden221-1.7.7.tgz"}],"evidence_files":[{"path":"sw.js","sha256":"bb00271669f18ad7ee9e0b7d2db0a8285e4a0cd1431676839878d4eb93619d12","tlsh":"98f1629878f611f1425741acc75b6624303be097398bc896bfbc8f102f8639989e37d9"},{"path":"auto-publish.sh","sha256":"531f9f053e08a20d7b414c57a06140b8783bf87d8b5fdc225028a92757735579","tlsh":"785174816a6f553c1f0b44fcfacb00a0621a972b196d3d19b5df8098ff6d36c701a6d8"}]},"cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}