MAL-2026-5917

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/nottuff4/MAL-2026-5917.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5917

Published

2026-06-16T19:27:24Z

Modified

2026-06-16T20:01:50.378100855Z

Summary

Malicious code in nottuff4 (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (c4f105cfb08cd05b609d2fb92793d7f8cb61d42add7d39e2491e6ba791f550e1)

Package ships a Scramjet-based web proxy (sw.js service worker + bare-mux + WASM rewriter under assets/) plus a static 'Riverbend Tutoring' index.html cover page. index.html lines 60-69 install click/keydown/touchstart listeners that call window.open("https://abdct.com/", "_blank", "noreferrer") on first user interaction. The package is one of ~85 throwaway sibling names auto-published via the bundled auto-publish.sh (imillegal*, ishowfeet*, nottuff*, abuden*, ratelimitsucks*); package.json carries placeholder metadata (name 'package', empty author, no homepage/repo). The asset JavaScript is heavily obfuscated (hex-mangled identifiers throughout assets/*.js), consistent with the upstream Scramjet bundles. main is set to sw.js, which begins with importScripts('./8cfc2/hgshm.js') and uses service-worker globals (self.addEventListener for install/activate/fetch/message); require('nottuff4') from Node throws on the first line, so there is no install-time or import-time code path that executes against a developer who runs npm install nottuff4. The harm — namespace pollution, ToS-evading proxying, and the monetized popup redirect — only materializes when someone unpacks the tarball and serves it as a website to browser visitors. Routing for human review as registry-policy abuse rather than as a supply-chain attack on installers.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "c4f105cfb08cd05b609d2fb92793d7f8cb61d42add7d39e2491e6ba791f550e1",
            "source": "amazon-inspector",
            "modified_time": "2026-06-16T19:27:24Z",
            "versions": [
                "1.7.7"
            ],
            "id": "IN-MAL-2026-006818",
            "import_time": "2026-06-16T19:46:15.143193953Z"
        }
    ]
}

References

https://www.npmjs.com/package/nottuff4/v/1.7.7

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / nottuff4

Package

Name: nottuff4; View open source insights on deps.dev
Purl: pkg:npm/nottuff4

Affected ranges

Affected versions

1.*

1.7.7

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/nottuff4/MAL-2026-5917.json"

indicators

{
    "evidence_files": [
        {
            "sha256": "bb00271669f18ad7ee9e0b7d2db0a8285e4a0cd1431676839878d4eb93619d12",
            "tlsh": "98f1629878f611f1425741acc75b6624303be097398bc896bfbc8f102f8639989e37d9",
            "path": "sw.js"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-nrrKCYLkCHKBnBpIq8VRf8xsWrtWcvJw/Cs7kWPK6FHnamAxVorc5ggFtqJY2AgGFy7+7XWBlsm2A8SAXU64Lg==",
                "sha1": "0b5f54aa31601d3ad8ce7cad2fb73028e3bc717c"
            },
            "filename": "nottuff4-1.7.7.tgz"
        }
    ]
}