{"id":"MAL-2026-6136","summary":"Malicious code in ratelimitsucks6 (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (c9f1a5d26cc0e6845ca6fae686a98462270a61b1d97d9ceb834f5046808ffdd0)\nratelimitsucks6 is one variant in a numerically-iterated family (ratelimitsucks1, ratelimitsucks2,...) generated by auto-publish.sh shipped inside the tarball. That script is an infinite loop that rewrites package.json's `name` field to ${BASE_NAME}${COUNT} and runs `npm publish --silent` for each variant — attacker auto-publication infrastructure accidentally included with the release. Package metadata is deceptive: description is just \"package\", author is empty, and the package name has no relation to the shipped contents. The tarball ships a full Scramjet web-proxy runtime (sw.js + 8cfc2/hgshm.js, 180 KB), twelve heavily-obfuscated JS bundles under assets/ (hex-mangled identifiers throughout), and an index.html cloaked as \"Riverbend Tutoring\" that loads a third-party script from cdn.21baseballacademy.com and opens https://abdct.com/ in a new window on the first user interaction. No npm lifecycle hooks are declared and `main: sw.js` calls importScripts() which is undefined in Node, so the package does not auto-execute on `npm install` or `require()`. The harm is registry pollution and namespace abuse: the publisher is flooding npm with iterated lure names hosting an obfuscated browser-side proxy/redirector payload.\n","modified":"2026-06-18T17:16:47.042939967Z","published":"2026-06-18T16:30:08Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-06-18T16:30:08Z","versions":["1.1.7"],"sha256":"c9f1a5d26cc0e6845ca6fae686a98462270a61b1d97d9ceb834f5046808ffdd0","import_time":"2026-06-18T17:08:48.160232901Z","id":"IN-MAL-2026-007010","source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/ratelimitsucks6/v/1.1.7"}],"affected":[{"package":{"name":"ratelimitsucks6","ecosystem":"npm","purl":"pkg:npm/ratelimitsucks6"},"versions":["1.1.7"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ratelimitsucks6/MAL-2026-6136.json","cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}],"indicators":{"package_integrity":[{"filename":"ratelimitsucks6-1.1.7.tgz","hashes":{"sha512_sri":"sha512-sDkrImDYfjjDiONhKCPWwsJUjnTiRbXD6L/bpNCiGSr5ibmdHDXujxg/vm8XwA9nOVk2IhZBN4MAG8dahDv9Sg==","sha1":"81b0b1d3b2978fcabe050269291209bbb58fc33e"}}],"evidence_files":[{"path":"auto-publish.sh","sha256":"1ddc03600e585dbe77f16ce135d038e8daa41f167b7504ef4a4b4fae91bbf4d5","tlsh":"5ff0dc8811c23e311b2f182969d6b084431eb42224347780b0ce00913fcf1da9503c3b"},{"path":"index.html","sha256":"f184e7a00feeeb351e64f9d6ced030eb58efa8493c49b081dee9b3c0fc46b23c","tlsh":"2d226507fee295325673112dbb2a7180ff31810b62158d44b9ed539c2f06a6ac7f36ad"},{"path":"sw.js","sha256":"bb00271669f18ad7ee9e0b7d2db0a8285e4a0cd1431676839878d4eb93619d12","tlsh":"98f1629878f611f1425741acc75b6624303be097398bc896bfbc8f102f8639989e37d9"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}