MAL-2026-5937

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/abuden21/MAL-2026-5937.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5937
Published
2026-06-16T23:43:22Z
Modified
2026-06-17T00:16:41.789504922Z
Summary
Malicious code in abuden21 (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (4db5b16c4a10377beb73341758a26afed16a44d377dc03009601f610dd289b22)

The tarball ships auto-publish.sh, which iterates a hardcoded list of ~90 unrelated package names (imillegal1..N, ishowfeet*, nottuff*, abuden*, ratelimitsucks*) and runs npm publish --silent for each, republishing the same payload under each name. The payload is a browser SPA (Mercury/Scramjet-style web proxy with a Lucide UI) plus heavily obfuscated JS bundles in assets/*.js. package.json has no preinstall/install/postinstall hooks and no bin; the declared main is a browser service worker (sw.js) that calls importScripts/self and throws immediately under Node, so npm install abuden21 and require('abuden21') perform no code execution against the installer. The bundled index.html (and a duplicate inside logo.svg) registers click/keydown/touchstart handlers that open https://abdct.com/ as a popunder on first user gesture when the SPA is served in a browser — monetisation of the web-proxy front-end, not installer-side harm. No credential reads, no outbound exfiltration on install, no RCE, no dropper. The behaviour of concern is namespace pollution: the same tarball is mass-published across many unrelated names to squat the npm namespace and ride traffic / typo'd installs. Routing to human review for namespace-abuse handling; this is not a direct supply-chain attack on installers but is an abuse pattern the registry/feed maintainers may want to act on.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "1.7.7"
            ],
            "id": "IN-MAL-2026-006860",
            "import_time": "2026-06-17T00:00:53.898636484Z",
            "modified_time": "2026-06-16T23:43:22Z",
            "sha256": "4db5b16c4a10377beb73341758a26afed16a44d377dc03009601f610dd289b22",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / abuden21

Package

Affected ranges

Affected versions

1.*
1.7.7

Database specific

indicators
{
    "evidence_files": [
        {
            "sha256": "eac36a0d7e3ef6116faba93afc7185a3bd0e8a3e867869c0b17cc56754ab8c5c",
            "tlsh": "2661521c0d19ff360b8be4fba9d2e8e13105ae66d6542913b4bf4c44ab6bb71f059090",
            "path": "auto-publish.sh"
        },
        {
            "sha256": "f184e7a00feeeb351e64f9d6ced030eb58efa8493c49b081dee9b3c0fc46b23c",
            "tlsh": "2d226507fee295325673112dbb2a7180ff31810b62158d44b9ed539c2f06a6ac7f36ad",
            "path": "index.html"
        }
    ],
    "package_integrity": [
        {
            "filename": "abuden21-1.7.7.tgz",
            "hashes": {
                "sha512_sri": "sha512-B6dWi9yMIYL9/pDGGecgVnuM8YexzjSAHvvInDS9sryxKqD3QPwMge46yvNjgA3pWomEBM2latzdSIROJUKywg==",
                "sha1": "d8d167b306f248d9722937c64d105b1b044d28d8"
            }
        }
    ]
}
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/abuden21/MAL-2026-5937.json"