MAL-2026-5915

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/nottuff23/MAL-2026-5915.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5915
Published
2026-06-16T19:27:26Z
Modified
2026-06-16T20:01:50.010588017Z
Summary
Malicious code in nottuff23 (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (41d429b099904a530f5dc4dfdd4724b7b6160c1de1330e0b103e8b8e3c737dfd)

The package is one of approximately 100 identically-named-pattern publishes from an automated bulk-publish operation. The tarball ships auto-publish.sh, which hard-codes a list of sibling names (nottuff1..30, ishowfeet1..20, imillegal1..5, abuden*, ratelimitsucks*nottuff23 is on the list) and republishes the same payload to each name by rewriting package.json.name and running npm publish --silent. The shipped content is not a Node library: package.json.main points at sw.js, a browser service worker that uses importScripts, self.addEventListener('install'|'activate'|'fetch'|'message',...) — APIs that do not exist in Node and would throw if require()'d. The bundled obfuscated assets/*.js files are a dormant Ultraviolet-style web-proxy frontend, plus an index.html titled "Riverbend Tutoring" that loads remote scripts from cdn.21baseballacademy.com and googletagmanager.com and opens https://abdct.com/ on click. There are no npm lifecycle hooks (scripts contains only a no-op test); npm install and require() execute no code from this package. Installer-side risk on default install is effectively zero, but the package is registry-namespace abuse: bulk-published spam under squatted names, with heavily obfuscated browser payloads whose intent at the eventual deployment site is not verifiable from this tarball alone. Routing to human review for namespace-abuse / registry-spam disposition.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "1.7.7"
            ],
            "id": "IN-MAL-2026-006820",
            "import_time": "2026-06-16T19:46:15.319472083Z",
            "modified_time": "2026-06-16T19:27:26Z",
            "sha256": "41d429b099904a530f5dc4dfdd4724b7b6160c1de1330e0b103e8b8e3c737dfd",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / nottuff23

Package

Affected ranges

Affected versions

1.*
1.7.7

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "nottuff23-1.7.7.tgz",
            "hashes": {
                "sha512_sri": "sha512-rctDIa0u9MbIlyI0MWzqapp0jqkZmUYrDFr42DBeKcFLOjUYNwm2vxbdg6xnvA1mazEdzsJ1xNYApv4Cq+VkmQ==",
                "sha1": "5caa90e361157666647d437071c4a7309472d56d"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "eac36a0d7e3ef6116faba93afc7185a3bd0e8a3e867869c0b17cc56754ab8c5c",
            "tlsh": "2661521c0d19ff360b8be4fba9d2e8e13105ae66d6542913b4bf4c44ab6bb71f059090",
            "path": "auto-publish.sh"
        },
        {
            "sha256": "bb00271669f18ad7ee9e0b7d2db0a8285e4a0cd1431676839878d4eb93619d12",
            "tlsh": "98f1629878f611f1425741acc75b6624303be097398bc896bfbc8f102f8639989e37d9",
            "path": "sw.js"
        },
        {
            "tlsh": "dfd0a7681d40952315c5851a1c2894567220df1f1484380d53df182c419ea735cf635d",
            "sha256": "6f27d1cad4ef020e2954c34e92a0e4491102e51b8a339a5c889224f1470ea601",
            "path": "package.json"
        }
    ]
}
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/nottuff23/MAL-2026-5915.json"