OSV Malicious Advisory
scanned 10d ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-5915 confirms this npm version as malicious. The package is one of approximately 100 identically-named-pattern publishes from an automated bulk-publish operation. The tarball ships `auto-publish.sh`, which hard-codes a list of sibling names (`nottuff1..30`, `ishowfeet1..20`, `imillegal1..5`, `abuden*`, `ratelimitsucks*` — `nottuff23` is on the list) and republishes the same payload to each name by rewriting `package.json.name` and running `npm publish...
Advisory
MAL-2026-5915
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in nottuff23 (npm)
Details
The package is one of approximately 100 identically-named-pattern publishes from an automated bulk-publish operation. The tarball ships `auto-publish.sh`, which hard-codes a list of sibling names (`nottuff1..30`, `ishowfeet1..20`, `imillegal1..5`, `abuden*`, `ratelimitsucks*` — `nottuff23` is on the list) and republishes the same payload to each name by rewriting `package.json.name` and running `npm publish --silent`. The shipped content is not a Node library: `package.json.main` points at `sw.js`, a browser service worker that uses `importScripts`, `self.addEventListener('install'|'activate'|'fetch'|'message',...)` — APIs that do not exist in Node and would throw if `require()`'d. The bundled obfuscated `assets/*.js` files are a dormant Ultraviolet-style web-proxy frontend, plus an `index.html` titled "Riverbend Tutoring" that loads remote scripts from `cdn.21baseballacademy.com` and `googletagmanager.com` and opens `https://abdct.com/` on click. There are no npm lifecycle hooks (`scripts` contains only a no-op `test`); `npm install` and `require()` execute no code from this package. Installer-side risk on default install is effectively zero, but the package is registry-namespace abuse: bulk-published spam under squatted names, with heavily obfuscated browser payloads whose intent at the eventual deployment site is not verifiable from this tarball alone. Routing to human review for namespace-abuse / registry-spam disposition.
Decision reason
OSV/OpenSSF confirms nottuff23@1.7.7 as malicious package MAL-2026-5915. Malicious code in nottuff23 (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory