-= Per source details. Do not edit below this line.=-
The package is one of approximately 100 identically-named-pattern publishes from an automated bulk-publish operation. The tarball ships auto-publish.sh, which hard-codes a list of sibling names (nottuff1..30, ishowfeet1..20, imillegal1..5, abuden*, ratelimitsucks* — nottuff23 is on the list) and republishes the same payload to each name by rewriting package.json.name and running npm publish --silent. The shipped content is not a Node library: package.json.main points at sw.js, a browser service worker that uses importScripts, self.addEventListener('install'|'activate'|'fetch'|'message',...) — APIs that do not exist in Node and would throw if require()'d. The bundled obfuscated assets/*.js files are a dormant Ultraviolet-style web-proxy frontend, plus an index.html titled "Riverbend Tutoring" that loads remote scripts from cdn.21baseballacademy.com and googletagmanager.com and opens https://abdct.com/ on click. There are no npm lifecycle hooks (scripts contains only a no-op test); npm install and require() execute no code from this package. Installer-side risk on default install is effectively zero, but the package is registry-namespace abuse: bulk-published spam under squatted names, with heavily obfuscated browser payloads whose intent at the eventual deployment site is not verifiable from this tarball alone. Routing to human review for namespace-abuse / registry-spam disposition.
{
"malicious-packages-origins": [
{
"versions": [
"1.7.7"
],
"id": "IN-MAL-2026-006820",
"import_time": "2026-06-16T19:46:15.319472083Z",
"modified_time": "2026-06-16T19:27:26Z",
"sha256": "41d429b099904a530f5dc4dfdd4724b7b6160c1de1330e0b103e8b8e3c737dfd",
"source": "amazon-inspector"
}
]
}{
"package_integrity": [
{
"filename": "nottuff23-1.7.7.tgz",
"hashes": {
"sha512_sri": "sha512-rctDIa0u9MbIlyI0MWzqapp0jqkZmUYrDFr42DBeKcFLOjUYNwm2vxbdg6xnvA1mazEdzsJ1xNYApv4Cq+VkmQ==",
"sha1": "5caa90e361157666647d437071c4a7309472d56d"
}
}
],
"evidence_files": [
{
"sha256": "eac36a0d7e3ef6116faba93afc7185a3bd0e8a3e867869c0b17cc56754ab8c5c",
"tlsh": "2661521c0d19ff360b8be4fba9d2e8e13105ae66d6542913b4bf4c44ab6bb71f059090",
"path": "auto-publish.sh"
},
{
"sha256": "bb00271669f18ad7ee9e0b7d2db0a8285e4a0cd1431676839878d4eb93619d12",
"tlsh": "98f1629878f611f1425741acc75b6624303be097398bc896bfbc8f102f8639989e37d9",
"path": "sw.js"
},
{
"tlsh": "dfd0a7681d40952315c5851a1c2894567220df1f1484380d53df182c419ea735cf635d",
"sha256": "6f27d1cad4ef020e2954c34e92a0e4491102e51b8a339a5c889224f1470ea601",
"path": "package.json"
}
]
}
[
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/nottuff23/MAL-2026-5915.json"