OSV Malicious Advisory
scanned 10d ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-5937 confirms this npm version as malicious. The tarball ships `auto-publish.sh`, which iterates a hardcoded list of ~90 unrelated package names (`imillegal1..N`, `ishowfeet*`, `nottuff*`, `abuden*`, `ratelimitsucks*`) and runs `npm publish --silent` for each, republishing the same payload under each name. The payload is a browser SPA (Mercury/Scramjet-style web proxy with a Lucide UI) plus heavily obfuscated JS bundles in `assets/*.js`. `package.json` has no...
Advisory
MAL-2026-5937
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in abuden21 (npm)
Details
The tarball ships `auto-publish.sh`, which iterates a hardcoded list of ~90 unrelated package names (`imillegal1..N`, `ishowfeet*`, `nottuff*`, `abuden*`, `ratelimitsucks*`) and runs `npm publish --silent` for each, republishing the same payload under each name. The payload is a browser SPA (Mercury/Scramjet-style web proxy with a Lucide UI) plus heavily obfuscated JS bundles in `assets/*.js`. `package.json` has no `preinstall`/`install`/`postinstall` hooks and no `bin`; the declared `main` is a browser service worker (`sw.js`) that calls `importScripts`/`self` and throws immediately under Node, so `npm install abuden21` and `require('abuden21')` perform no code execution against the installer. The bundled `index.html` (and a duplicate inside `logo.svg`) registers click/keydown/touchstart handlers that open `https://abdct.com/` as a popunder on first user gesture when the SPA is served in a browser — monetisation of the web-proxy front-end, not installer-side harm. No credential reads, no outbound exfiltration on install, no RCE, no dropper. The behaviour of concern is namespace pollution: the same tarball is mass-published across many unrelated names to squat the npm namespace and ride traffic / typo'd installs. Routing to human review for namespace-abuse handling; this is not a direct supply-chain attack on installers but is an abuse pattern the registry/feed maintainers may want to act on.
Decision reason
OSV/OpenSSF confirms abuden21@1.7.7 as malicious package MAL-2026-5937. Malicious code in abuden21 (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory