MAL-2026-6136

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ratelimitsucks6/MAL-2026-6136.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6136

Published

2026-06-18T16:30:08Z

Modified

2026-06-18T17:16:47.042939967Z

Summary

Malicious code in ratelimitsucks6 (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (c9f1a5d26cc0e6845ca6fae686a98462270a61b1d97d9ceb834f5046808ffdd0)

ratelimitsucks6 is one variant in a numerically-iterated family (ratelimitsucks1, ratelimitsucks2,...) generated by auto-publish.sh shipped inside the tarball. That script is an infinite loop that rewrites package.json's name field to ${BASE_NAME}${COUNT} and runs npm publish --silent for each variant — attacker auto-publication infrastructure accidentally included with the release. Package metadata is deceptive: description is just "package", author is empty, and the package name has no relation to the shipped contents. The tarball ships a full Scramjet web-proxy runtime (sw.js + 8cfc2/hgshm.js, 180 KB), twelve heavily-obfuscated JS bundles under assets/ (hex-mangled identifiers throughout), and an index.html cloaked as "Riverbend Tutoring" that loads a third-party script from cdn.21baseballacademy.com and opens https://abdct.com/ in a new window on the first user interaction. No npm lifecycle hooks are declared and main: sw.js calls importScripts() which is undefined in Node, so the package does not auto-execute on npm install or require(). The harm is registry pollution and namespace abuse: the publisher is flooding npm with iterated lure names hosting an obfuscated browser-side proxy/redirector payload.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "c9f1a5d26cc0e6845ca6fae686a98462270a61b1d97d9ceb834f5046808ffdd0",
            "source": "amazon-inspector",
            "modified_time": "2026-06-18T16:30:08Z",
            "versions": [
                "1.1.7"
            ],
            "id": "IN-MAL-2026-007010",
            "import_time": "2026-06-18T17:08:48.160232901Z"
        }
    ]
}

References

https://www.npmjs.com/package/ratelimitsucks6/v/1.1.7

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / ratelimitsucks6

Package

Name: ratelimitsucks6; View open source insights on deps.dev
Purl: pkg:npm/ratelimitsucks6

Affected ranges

Affected versions

1.*

1.1.7

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ratelimitsucks6/MAL-2026-6136.json"

indicators

{
    "evidence_files": [
        {
            "sha256": "1ddc03600e585dbe77f16ce135d038e8daa41f167b7504ef4a4b4fae91bbf4d5",
            "tlsh": "5ff0dc8811c23e311b2f182969d6b084431eb42224347780b0ce00913fcf1da9503c3b",
            "path": "auto-publish.sh"
        },
        {
            "sha256": "f184e7a00feeeb351e64f9d6ced030eb58efa8493c49b081dee9b3c0fc46b23c",
            "tlsh": "2d226507fee295325673112dbb2a7180ff31810b62158d44b9ed539c2f06a6ac7f36ad",
            "path": "index.html"
        },
        {
            "sha256": "bb00271669f18ad7ee9e0b7d2db0a8285e4a0cd1431676839878d4eb93619d12",
            "tlsh": "98f1629878f611f1425741acc75b6624303be097398bc896bfbc8f102f8639989e37d9",
            "path": "sw.js"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-sDkrImDYfjjDiONhKCPWwsJUjnTiRbXD6L/bpNCiGSr5ibmdHDXujxg/vm8XwA9nOVk2IhZBN4MAG8dahDv9Sg==",
                "sha1": "81b0b1d3b2978fcabe050269291209bbb58fc33e"
            },
            "filename": "ratelimitsucks6-1.1.7.tgz"
        }
    ]
}