registry  /  nottuff4  /  1.7.7

nottuff4@1.7.7

OSV Malicious Advisory

scanned 13d ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-5917 confirms this npm version as malicious. Package ships a Scramjet-based web proxy (sw.js service worker + bare-mux + WASM rewriter under assets/) plus a static 'Riverbend Tutoring' index.html cover page. index.html lines 60-69 install click/keydown/touchstart listeners that call window.open("https://abdct.com/", "_blank", "noreferrer") on first user interaction. The package is one of ~85 throwaway sibling names auto-published via the bundled...

Advisory
MAL-2026-5917
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in nottuff4 (npm)
Details
Package ships a Scramjet-based web proxy (sw.js service worker + bare-mux + WASM rewriter under assets/) plus a static 'Riverbend Tutoring' index.html cover page. index.html lines 60-69 install click/keydown/touchstart listeners that call window.open("https://abdct.com/", "_blank", "noreferrer") on first user interaction. The package is one of ~85 throwaway sibling names auto-published via the bundled auto-publish.sh (imillegal*, ishowfeet*, nottuff*, abuden*, ratelimitsucks*); package.json carries placeholder metadata (name 'package', empty author, no homepage/repo). The asset JavaScript is heavily obfuscated (hex-mangled identifiers throughout assets/*.js), consistent with the upstream Scramjet bundles. main is set to sw.js, which begins with importScripts('./8cfc2/hgshm.js') and uses service-worker globals (self.addEventListener for install/activate/fetch/message); require('nottuff4') from Node throws on the first line, so there is no install-time or import-time code path that executes against a developer who runs `npm install nottuff4`. The harm — namespace pollution, ToS-evading proxying, and the monetized popup redirect — only materializes when someone unpacks the tarball and serves it as a website to browser visitors. Routing for human review as registry-policy abuse rather than as a supply-chain attack on installers. ## Source: ghsa-malware (fa6ac915c6a6c43f039731b0770359f0fdf3eb05ff83e498ae4e27664a98970b) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
Decision reason
OpenSSF Malicious Packages via OSV confirms nottuff4@1.7.7 as malicious (MAL-2026-5917): Malicious code in nottuff4 (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory