MAL-2026-6128

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/abuden218/MAL-2026-6128.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6128

Published

2026-06-18T16:29:46Z

Modified

2026-06-18T17:16:48.351192386Z

Summary

Malicious code in abuden218 (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (5215a61abda9d84fd39b739be57d465fddcf6561219deddfe212538607de0c66)

Package is published under a deceptive identity. package.json declares main=sw.js, but sw.js is a service-worker entry (importScripts) that throws when loaded under Node — the package is not a usable npm library. The shipped contents are a static web-proxy application (bare-mux v2.1.9 plus a service-worker proxy in sw.js), with index.html cover-storying the bundle as 'Riverbend Tutoring' while a Roblox shortcut icon and code that opens https://abdct.com/ on user interaction are included. All 12 asset JS files are heavily obfuscated (hex-prefixed identifiers like _0xaaed02 throughout assets/*.js). The tarball additionally ships auto-publish.sh, a shell script that iterates the names 'ratelimitsucks', 'ratelimitsucks1',..., copies the tree to a temp dir, rewrites package.json.name, and runs npm publish --silent in parallel — i.e., the author's own mass-republishing pipeline accidentally included in the release. The package has no lifecycle hooks, so installing it does not directly execute code on the installer; the harm is registry pollution and consumer deception (developers who npm install this expecting a library get a non-functional service-worker bundle masquerading as one of many spam-named republishes).

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "5215a61abda9d84fd39b739be57d465fddcf6561219deddfe212538607de0c66",
            "source": "amazon-inspector",
            "modified_time": "2026-06-18T16:29:46Z",
            "versions": [
                "1.7.7"
            ],
            "id": "IN-MAL-2026-007007",
            "import_time": "2026-06-18T17:08:47.973525009Z"
        }
    ]
}

References

https://www.npmjs.com/package/abuden218/v/1.7.7

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / abuden218

Package

Name: abuden218; View open source insights on deps.dev
Purl: pkg:npm/abuden218

Affected ranges

Affected versions

1.*

1.7.7

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/abuden218/MAL-2026-6128.json"

indicators

{
    "evidence_files": [
        {
            "sha256": "bb00271669f18ad7ee9e0b7d2db0a8285e4a0cd1431676839878d4eb93619d12",
            "tlsh": "98f1629878f611f1425741acc75b6624303be097398bc896bfbc8f102f8639989e37d9",
            "path": "sw.js"
        },
        {
            "sha256": "531f9f053e08a20d7b414c57a06140b8783bf87d8b5fdc225028a92757735579",
            "tlsh": "785174816a6f553c1f0b44fcfacb00a0621a972b196d3d19b5df8098ff6d36c701a6d8",
            "path": "auto-publish.sh"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-R1L0ozjmRT6iuZdjO3fxj4WkvEtMXS8gNV3QI+iPZXQk/fKiLoe4mSSrbF0N/wnpElnW0hUiB1ZerZaQ8mbMCg==",
                "sha1": "d8467c281044e885a554aee28237eae385729aae"
            },
            "filename": "abuden218-1.7.7.tgz"
        }
    ]
}