registry  /  ishowfeet14  /  1.1.7

ishowfeet14@1.1.7

OSV Malicious Advisory

scanned 3h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10316 confirms this npm version as malicious. The tarball ships `auto-publish.sh`, a script that republishes the same payload under ~100 distinct npm names (`ishowfeet1`-`ishowfeet20`, `nottuff1`-`nottuff30`, `abuden*`, `imillegal*`, `ratelimitsucks*`, etc/) by rewriting `package.json.name` and running `npm publish --silent` in a loop — namespace-spam infrastructure shipped inside the package itself. The package's declared `main` is `sw.js`, a browser Service...

Advisory
MAL-2026-10316
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in ishowfeet14 (npm)
Details
The tarball ships `auto-publish.sh`, a script that republishes the same payload under ~100 distinct npm names (`ishowfeet1`-`ishowfeet20`, `nottuff1`-`nottuff30`, `abuden*`, `imillegal*`, `ratelimitsucks*`, etc/) by rewriting `package.json.name` and running `npm publish --silent` in a loop — namespace-spam infrastructure shipped inside the package itself. The package's declared `main` is `sw.js`, a browser Service Worker (`importScripts('./8cfc2/hgshm.js')`, `self.addEventListener('install'|'activate'|'fetch'|'message')`) that throws immediately if loaded from Node. The shipped assets are a heavily obfuscated Ultraviolet/bare-mux web-proxy frontend with an `index.html` themed as "Riverbend Tutoring" that hides a popunder redirect to `https://abdct.com/` on click/keydown/touchstart. `package.json` declares no `preinstall`/`install`/`postinstall`/`prepare` hooks, and `require('ishowfeet9')` from Node fails before any code runs, so a Node installer experiences no auto-execution. The harm is registry abuse (mass-publication of a misleading name family) and a browser-side proxy/popunder served to whoever later loads these static assets — not installer-side compromise. Routing to human review for namespace-abuse adjudication. ## Source: ghsa-malware (6086ad6dfcf58f692445c974cecf0402415d17d2293758c181e28141a1316479) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
Decision reason
OpenSSF Malicious Packages via OSV confirms ishowfeet14@1.1.7 as malicious (MAL-2026-10316): Malicious code in ishowfeet14 (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory