MAL-2026-5916

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/nottuff25/MAL-2026-5916.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5916

Published

2026-06-16T19:27:25Z

Modified

2026-06-16T20:01:50.128330795Z

Summary

Malicious code in nottuff25 (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (238a4f56f3433bf34de372e9a26264a33e33c6bde8592ddc73594d33ab7427f0)

The tarball is not a Node library. package.json declares main: sw.js with description "package" and an empty author; sw.js is a browser ServiceWorker (importScripts('./8cfc2/hgshm.js'), self.skipWaiting(), self.clients, fetch interception) that has no meaning when consumed via require('nottuff25') in Node. The shipped static site bundles the Mercury Workshop Scramjet web proxy plus bare-mux, branded as "Riverbend Tutoring" while pointing og:url at 21baseballacademy.com — a misrepresentation of what the npm name advertises. The tarball also ships auto-publish.sh, a bash script with a hardcoded list of 95+ sibling package names (nottuff1-30, ishowfeet1-20, imillegal1-5, abuden*, ratelimitsucks*) that rewrites package.json and runs npm publish --silent in a loop — the attacker's own mass-publication pipeline shipped inside the artifact, with the current package name nottuff25 appearing as a literal entry in that list. index.html additionally registers click/keydown/touchstart listeners that open https://abdct.com/ as a popunder on first interaction (browser-side adware, not installer-side). No install/require-time exfil, RCE, or credential theft is present, but this is a coordinated namespace-pollution campaign and the package misrepresents itself to npm consumers.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "238a4f56f3433bf34de372e9a26264a33e33c6bde8592ddc73594d33ab7427f0",
            "source": "amazon-inspector",
            "modified_time": "2026-06-16T19:27:25Z",
            "id": "IN-MAL-2026-006819",
            "versions": [
                "1.7.7"
            ],
            "import_time": "2026-06-16T19:46:15.266329323Z"
        }
    ]
}

References

https://www.npmjs.com/package/nottuff25/v/1.7.7

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / nottuff25

Package

Name: nottuff25; View open source insights on deps.dev
Purl: pkg:npm/nottuff25

Affected ranges

Affected versions

1.*

1.7.7

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/nottuff25/MAL-2026-5916.json"

indicators

{
    "evidence_files": [
        {
            "sha256": "eac36a0d7e3ef6116faba93afc7185a3bd0e8a3e867869c0b17cc56754ab8c5c",
            "tlsh": "2661521c0d19ff360b8be4fba9d2e8e13105ae66d6542913b4bf4c44ab6bb71f059090",
            "path": "auto-publish.sh"
        },
        {
            "sha256": "8bc6b5f28f78770058df141fa2c8e5c73211989cc00089b99ba6abf6571be356",
            "tlsh": "45d0a7681d40a52315c585171c2894567220df1f1444780953df282c419eab35cf635d",
            "path": "package.json"
        },
        {
            "sha256": "f184e7a00feeeb351e64f9d6ced030eb58efa8493c49b081dee9b3c0fc46b23c",
            "tlsh": "2d226507fee295325673112dbb2a7180ff31810b62158d44b9ed539c2f06a6ac7f36ad",
            "path": "index.html"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-il4K6NNsw4Q4OB8z7yWty0EcNz6pomcPn9FRnoG8Cufa4fmEy57U5BWkhq42+cal0s1IM5ByLeVsF8MBTmN7EA==",
                "sha1": "7601145a5e09796c48ae385999a9d9e18d4d71f9"
            },
            "filename": "nottuff25-1.7.7.tgz"
        }
    ]
}