MAL-2026-5918

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/nottuff7/MAL-2026-5918.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5918

Published

2026-06-16T19:27:27Z

Modified

2026-06-16T20:01:50.669136314Z

Summary

Malicious code in nottuff7 (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (014548171545d3357baafaf1ec9c1755860bacdcf94b42161d8e32b0c94ab3c8)

This package is one of ~95 names in a coordinated spam-publication family (nottuff1-30, ishowfeet1-20, imillegal1-5, abuden*, ratelimitsucks*) republishing the same Scramjet web-proxy payload as a static site. The tarball includes auto-publish.sh which iterates the name list and runs npm publish for each, documenting the registry-pollution intent. The package's declared main entry sw.js is a browser ServiceWorker (importScripts('./8cfc2/hgshm.js'), self.addEventListener('install'|'fetch'|...)) — it cannot execute under Node, so npm install and require() produce no installer-side code execution and there are no lifecycle hooks. Heavily obfuscated bundles in assets/*.js are loaded only when the assets are served to a browser via an npm CDN (unpkg/jsdelivr), which appears to be the actual distribution channel — letting users bypass web filters by reaching the proxy through registry-CDN hostnames. The cover page (index.html, titled 'Riverbend Tutoring') ships a click/keydown/touchstart popunder opening https://abdct.com/, indicating ad-monetization motive. No installer credential theft, no exfiltration, no install-time RCE.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "014548171545d3357baafaf1ec9c1755860bacdcf94b42161d8e32b0c94ab3c8",
            "source": "amazon-inspector",
            "modified_time": "2026-06-16T19:27:27Z",
            "versions": [
                "1.7.7"
            ],
            "id": "IN-MAL-2026-006821",
            "import_time": "2026-06-16T19:46:15.392786095Z"
        }
    ]
}

References

https://www.npmjs.com/package/nottuff7/v/1.7.7

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / nottuff7

Package

Name: nottuff7; View open source insights on deps.dev
Purl: pkg:npm/nottuff7

Affected ranges

Affected versions

1.*

1.7.7

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/nottuff7/MAL-2026-5918.json"

indicators

{
    "evidence_files": [
        {
            "sha256": "eac36a0d7e3ef6116faba93afc7185a3bd0e8a3e867869c0b17cc56754ab8c5c",
            "tlsh": "2661521c0d19ff360b8be4fba9d2e8e13105ae66d6542913b4bf4c44ab6bb71f059090",
            "path": "auto-publish.sh"
        },
        {
            "sha256": "bb00271669f18ad7ee9e0b7d2db0a8285e4a0cd1431676839878d4eb93619d12",
            "tlsh": "98f1629878f611f1425741acc75b6624303be097398bc896bfbc8f102f8639989e37d9",
            "path": "sw.js"
        },
        {
            "sha256": "f184e7a00feeeb351e64f9d6ced030eb58efa8493c49b081dee9b3c0fc46b23c",
            "tlsh": "2d226507fee295325673112dbb2a7180ff31810b62158d44b9ed539c2f06a6ac7f36ad",
            "path": "index.html"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-pDwerf98zC9jkboorZ8aXXdAKwGrKxYp3AM2vdP1J1GrRNVZumjz9YVCbA5wFAx7e7Wa/8tRWioy9iHycXHkWw==",
                "sha1": "37bc3e2d8732957a23f029c58cde1d0a9971b669"
            },
            "filename": "nottuff7-1.7.7.tgz"
        }
    ]
}