registry  /  nottuff7  /  1.7.7

nottuff7@1.7.7

OSV Malicious Advisory

scanned 13d ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-5918 confirms this npm version as malicious. This package is one of ~95 names in a coordinated spam-publication family (nottuff1-30, ishowfeet1-20, imillegal1-5, abuden*, ratelimitsucks*) republishing the same Scramjet web-proxy payload as a static site. The tarball includes auto-publish.sh which iterates the name list and runs `npm publish` for each, documenting the registry-pollution intent. The package's declared main entry `sw.js` is a browser...

Advisory
MAL-2026-5918
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in nottuff7 (npm)
Details
This package is one of ~95 names in a coordinated spam-publication family (nottuff1-30, ishowfeet1-20, imillegal1-5, abuden*, ratelimitsucks*) republishing the same Scramjet web-proxy payload as a static site. The tarball includes auto-publish.sh which iterates the name list and runs `npm publish` for each, documenting the registry-pollution intent. The package's declared main entry `sw.js` is a browser ServiceWorker (`importScripts('./8cfc2/hgshm.js')`, `self.addEventListener('install'|'fetch'|...)`) — it cannot execute under Node, so `npm install` and `require()` produce no installer-side code execution and there are no lifecycle hooks. Heavily obfuscated bundles in assets/*.js are loaded only when the assets are served to a browser via an npm CDN (unpkg/jsdelivr), which appears to be the actual distribution channel — letting users bypass web filters by reaching the proxy through registry-CDN hostnames. The cover page (index.html, titled 'Riverbend Tutoring') ships a click/keydown/touchstart popunder opening https://abdct.com/, indicating ad-monetization motive. No installer credential theft, no exfiltration, no install-time RCE. ## Source: ghsa-malware (4c560f85796bad830999cf36c1683ca160a67fa4540f3e670742f6e448559560) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
Decision reason
OpenSSF Malicious Packages via OSV confirms nottuff7@1.7.7 as malicious (MAL-2026-5918): Malicious code in nottuff7 (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory