MAL-2026-6129

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/abuden22/MAL-2026-6129.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6129

Published

2026-06-18T16:29:47Z

Modified

2026-06-18T17:16:45.623643646Z

Summary

Malicious code in abuden22 (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (1c6b2d1b9158b6a3652850cdee84fd448567fc6d8187e685ee0b85eb8d594f57)

The tarball contains a static-site bundle (index.html, obfuscated asset chunks, service worker sw.js, and the MercuryWorkshop/Scramjet web-proxy bundle under 8cfc2/hgshm.js). The package's declared main entry is sw.js, which is a browser ServiceWorker (uses importScripts and self.addEventListener('install'|'activate'|'fetch'|'message')) and cannot run in Node — require()/import in Node throws on those globals. There are no preinstall/install/postinstall lifecycle hooks; only a test script is declared. The tarball also ships auto-publish.sh, a bash loop that copies the package contents into temp directories and republishes them under sequential names (ratelimitsucks, ratelimitsucks1,...) via npm publish --silent, using the author's own ambient credentials. This script is not referenced by any lifecycle hook or bin entry and does not execute on npm install. index.html also contains a browser-side popunder that opens https://abdct.com/ on the first user gesture, which only affects visitors to a deployed copy of the static site, not developers who install the package. The heavily obfuscated JS files under assets/ are part of the Scramjet web-proxy bundle. There is no Node-reachable code path that exfiltrates data, fetches remote payloads at install/import, or otherwise harms the installer's environment. The package is registry/CDN abuse and typosquat-style mass publishing rather than a supply-chain attack against installers.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "1c6b2d1b9158b6a3652850cdee84fd448567fc6d8187e685ee0b85eb8d594f57",
            "source": "amazon-inspector",
            "modified_time": "2026-06-18T16:29:47Z",
            "versions": [
                "1.7.7"
            ],
            "id": "IN-MAL-2026-007008",
            "import_time": "2026-06-18T17:08:48.037163716Z"
        }
    ]
}

References

https://www.npmjs.com/package/abuden22/v/1.7.7

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / abuden22

Package

Name: abuden22; View open source insights on deps.dev
Purl: pkg:npm/abuden22

Affected ranges

Affected versions

1.*

1.7.7

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/abuden22/MAL-2026-6129.json"

indicators

{
    "evidence_files": [
        {
            "sha256": "bb00271669f18ad7ee9e0b7d2db0a8285e4a0cd1431676839878d4eb93619d12",
            "tlsh": "98f1629878f611f1425741acc75b6624303be097398bc896bfbc8f102f8639989e37d9",
            "path": "sw.js"
        },
        {
            "sha256": "531f9f053e08a20d7b414c57a06140b8783bf87d8b5fdc225028a92757735579",
            "tlsh": "785174816a6f553c1f0b44fcfacb00a0621a972b196d3d19b5df8098ff6d36c701a6d8",
            "path": "auto-publish.sh"
        },
        {
            "sha256": "f184e7a00feeeb351e64f9d6ced030eb58efa8493c49b081dee9b3c0fc46b23c",
            "tlsh": "2d226507fee295325673112dbb2a7180ff31810b62158d44b9ed539c2f06a6ac7f36ad",
            "path": "index.html"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-kneZS3DaX+idrXwr274xgs7u/BjtK/bPD69H5bzmCxbLLHvyiszx/k+CRXj/L3p13o0aKliMD6s4bUbOd8ZMhQ==",
                "sha1": "40cbe9ea4ba92a8883d2cbe006a3bb78bb6a04a6"
            },
            "filename": "abuden22-1.7.7.tgz"
        }
    ]
}