MAL-2026-6135

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ratelimitsucks/MAL-2026-6135.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-6135
Published
2026-06-18T16:30:12Z
Modified
2026-06-18T17:16:46.837937563Z
Summary
Malicious code in ratelimitsucks (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (44ed99ce54c3f8b6fa4f1bfa207a593bbf0d441c9eeee7d29dbc991098f8e12f)

Package is not a library. main points at sw.js, a browser Service Worker that uses importScripts, self.addEventListener('fetch'|'install'|'activate'), and self.clients.claim() — all undefined in Node, so require('ratelimitsucks') throws on the first line. There are no install lifecycle hooks (scripts only declares test), so npm install of this package does not auto-execute any code on the installer's machine. The shipped contents are a school-filter-bypass web proxy (12 heavily obfuscated assets/*.js files with hex-mangled identifiers, a Service Worker that rewrites HTML responses and intercepts navigation), an index.html cover page ("Riverbend Tutoring") that loads a third-party script from cdn.21baseballacademy.com and opens a popunder to abdct.com, and an auto-publish.sh script that loops i=1..10, rewrites package.json.name to ratelimitsucks, ratelimitsucks1,..., ratelimitsucks9, and runs npm publish for each — the author's own mass-publication pipeline shipped inside the tarball. Direct harm to a developer who installs this package is effectively nil (no hooks, no require-safe entry point). The harms are (a) abuse of the npm registry as a CDN for an unrelated proxy site, (b) demonstrated typosquat-name-squatting intent across 10 sibling names, and (c) a popunder ad redirect served from the cover page. Routing to human review for unpublish/registry-abuse handling rather than blocking as an installer-side supply-chain attack.

Database specific 
{
    "malicious-packages-origins": [
        {
            "sha256": "44ed99ce54c3f8b6fa4f1bfa207a593bbf0d441c9eeee7d29dbc991098f8e12f",
            "source": "amazon-inspector",
            "modified_time": "2026-06-18T16:30:12Z",
            "versions": [
                "1.7.7"
            ],
            "id": "IN-MAL-2026-007011",
            "import_time": "2026-06-18T17:08:48.212748944Z"
        }
    ]
}
References
Credits

Affected packages

npm / ratelimitsucks

Package

Name
ratelimitsucks
View open source insights on deps.dev
Purl
pkg:npm/ratelimitsucks

Affected ranges

Affected versions

1.*
1.7.7

Database specific

cwes 
[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]
source 
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ratelimitsucks/MAL-2026-6135.json"
indicators 
{
    "evidence_files": [
        {
            "sha256": "531f9f053e08a20d7b414c57a06140b8783bf87d8b5fdc225028a92757735579",
            "tlsh": "785174816a6f553c1f0b44fcfacb00a0621a972b196d3d19b5df8098ff6d36c701a6d8",
            "path": "auto-publish.sh"
        },
        {
            "sha256": "bb00271669f18ad7ee9e0b7d2db0a8285e4a0cd1431676839878d4eb93619d12",
            "tlsh": "98f1629878f611f1425741acc75b6624303be097398bc896bfbc8f102f8639989e37d9",
            "path": "sw.js"
        },
        {
            "sha256": "0349f0ef0db1d4031e5ff14250c50a82fb3ca3898fda48747145a7c67dfe9273",
            "tlsh": "9fd0a7741e50553309c549161c28e4477220df2f1044380993df182c918dab75cf739e",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-0L48UzAIysND+B++iWbfCt+kFhj2UcsIPlwyJHJ58K3iAH5IhhvWHOoC4mvOFRdhyEHkCSI2IAEewcwlBqWvWA==",
                "sha1": "d09871a3e536923557c8e6c784a27cbacdff30c2"
            },
            "filename": "ratelimitsucks-1.7.7.tgz"
        }
    ]
}