-= Per source details. Do not edit below this line.=-
The tarball ships auto-publish.sh, which iterates a hardcoded list of ~90 unrelated package names (imillegal1..N, ishowfeet*, nottuff*, abuden*, ratelimitsucks*) and runs npm publish --silent for each, republishing the same payload under each name. The payload is a browser SPA (Mercury/Scramjet-style web proxy with a Lucide UI) plus heavily obfuscated JS bundles in assets/*.js. package.json has no preinstall/install/postinstall hooks and no bin; the declared main is a browser service worker (sw.js) that calls importScripts/self and throws immediately under Node, so npm install abuden21 and require('abuden21') perform no code execution against the installer. The bundled index.html (and a duplicate inside logo.svg) registers click/keydown/touchstart handlers that open https://abdct.com/ as a popunder on first user gesture when the SPA is served in a browser — monetisation of the web-proxy front-end, not installer-side harm. No credential reads, no outbound exfiltration on install, no RCE, no dropper. The behaviour of concern is namespace pollution: the same tarball is mass-published across many unrelated names to squat the npm namespace and ride traffic / typo'd installs. Routing to human review for namespace-abuse handling; this is not a direct supply-chain attack on installers but is an abuse pattern the registry/feed maintainers may want to act on.
{
"malicious-packages-origins": [
{
"versions": [
"1.7.7"
],
"id": "IN-MAL-2026-006860",
"import_time": "2026-06-17T00:00:53.898636484Z",
"modified_time": "2026-06-16T23:43:22Z",
"sha256": "4db5b16c4a10377beb73341758a26afed16a44d377dc03009601f610dd289b22",
"source": "amazon-inspector"
}
]
}{
"evidence_files": [
{
"sha256": "eac36a0d7e3ef6116faba93afc7185a3bd0e8a3e867869c0b17cc56754ab8c5c",
"tlsh": "2661521c0d19ff360b8be4fba9d2e8e13105ae66d6542913b4bf4c44ab6bb71f059090",
"path": "auto-publish.sh"
},
{
"sha256": "f184e7a00feeeb351e64f9d6ced030eb58efa8493c49b081dee9b3c0fc46b23c",
"tlsh": "2d226507fee295325673112dbb2a7180ff31810b62158d44b9ed539c2f06a6ac7f36ad",
"path": "index.html"
}
],
"package_integrity": [
{
"filename": "abuden21-1.7.7.tgz",
"hashes": {
"sha512_sri": "sha512-B6dWi9yMIYL9/pDGGecgVnuM8YexzjSAHvvInDS9sryxKqD3QPwMge46yvNjgA3pWomEBM2latzdSIROJUKywg==",
"sha1": "d8d167b306f248d9722937c64d105b1b044d28d8"
}
}
]
}
[
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/abuden21/MAL-2026-5937.json"