MAL-2026-6130

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/abuden221/MAL-2026-6130.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6130

Published

2026-06-18T16:29:47Z

Modified

2026-06-18T17:16:45.692455275Z

Summary

Malicious code in abuden221 (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (fbd19b84f2238fb96214c792d294b1ac0e114103c238ddf040a7960377d78f90)

The tarball is a static-site / web-proxy build (index.html, /assets/*.js bundles with obfuscated names, a.well-known/discord verification file, branding) rather than a Node.js library. package.json declares main: sw.js, but sw.js is a browser ServiceWorker that calls importScripts('./8cfc2/hgshm.js') — a global that does not exist in Node, so require()-ing this package throws before any code runs. There are no preinstall/install/postinstall/prepare lifecycle hooks, no Node-reachable network I/O, credential reads, or shell execution, so installing the package does not produce installer-side harm. The bundled service worker is an Ultraviolet-style web proxy that, when deployed in a browser, injects a script into proxied HTML responses to redirect window.open / anchor clicks / form submits via postMessage — hostile to users of a deployed proxy site, not to npm installers. The tarball also ships auto-publish.sh, a loop that copies the project to a temp dir, rewrites package.json.name through 10 sequential names (ratelimitsucks, ratelimitsucks1..ratelimitsucks9), and runs npm publish --silent in parallel — registry-namespace-spam tooling. The script is not wired to any lifecycle hook and does not run on install. Obfuscated bundles under assets/ are typical for a deployed proxy frontend and do not execute in Node. Routed to human review because the package is misusing npm as static hosting and documents intent to mass-publish duplicates under sequential names; this is registry abuse worth a maintainer/registry response, but not a supply-chain attack against installers.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "fbd19b84f2238fb96214c792d294b1ac0e114103c238ddf040a7960377d78f90",
            "source": "amazon-inspector",
            "modified_time": "2026-06-18T16:29:47Z",
            "id": "IN-MAL-2026-007009",
            "versions": [
                "1.7.7"
            ],
            "import_time": "2026-06-18T17:08:48.088047189Z"
        }
    ]
}

References

https://www.npmjs.com/package/abuden221/v/1.7.7

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / abuden221

Package

Name: abuden221; View open source insights on deps.dev
Purl: pkg:npm/abuden221

Affected ranges

Affected versions

1.*

1.7.7

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/abuden221/MAL-2026-6130.json"

indicators

{
    "evidence_files": [
        {
            "sha256": "bb00271669f18ad7ee9e0b7d2db0a8285e4a0cd1431676839878d4eb93619d12",
            "tlsh": "98f1629878f611f1425741acc75b6624303be097398bc896bfbc8f102f8639989e37d9",
            "path": "sw.js"
        },
        {
            "sha256": "531f9f053e08a20d7b414c57a06140b8783bf87d8b5fdc225028a92757735579",
            "tlsh": "785174816a6f553c1f0b44fcfacb00a0621a972b196d3d19b5df8098ff6d36c701a6d8",
            "path": "auto-publish.sh"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-u64HHiRWrVljng1g8IQoT2gKl6wwvlVUdLNWMspWHFNeb9qe1gb0mc4kGXmcd3K+4pF/Sj0x+RlHvrJat8fU5w==",
                "sha1": "94ed24ccb203358fb4d138840813dffa69cb901b"
            },
            "filename": "abuden221-1.7.7.tgz"
        }
    ]
}