registry  /  ratelimitsucks  /  1.1.7

ratelimitsucks@1.1.7

OSV Malicious Advisory

scanned 3h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-6135 confirms this npm version as malicious. Package is not a library. `main` points at `sw.js`, a browser Service Worker that uses `importScripts`, `self.addEventListener('fetch'|'install'|'activate')`, and `self.clients.claim()` — all undefined in Node, so `require('ratelimitsucks')` throws on the first line...

Advisory
MAL-2026-6135
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in ratelimitsucks (npm)
Details
Package is not a library. `main` points at `sw.js`, a browser Service Worker that uses `importScripts`, `self.addEventListener('fetch'|'install'|'activate')`, and `self.clients.claim()` — all undefined in Node, so `require('ratelimitsucks')` throws on the first line. There are no install lifecycle hooks (`scripts` only declares `test`), so `npm install` of this package does not auto-execute any code on the installer's machine. The shipped contents are a school-filter-bypass web proxy (12 heavily obfuscated `assets/*.js` files with hex-mangled identifiers, a Service Worker that rewrites HTML responses and intercepts navigation), an `index.html` cover page ("Riverbend Tutoring") that loads a third-party script from `cdn.21baseballacademy.com` and opens a popunder to `abdct.com`, and an `auto-publish.sh` script that loops i=1..10, rewrites `package.json.name` to `ratelimitsucks`, `ratelimitsucks1`,..., `ratelimitsucks9`, and runs `npm publish` for each — the author's own mass-publication pipeline shipped inside the tarball. Direct harm to a developer who installs this package is effectively nil (no hooks, no require-safe entry point). The harms are (a) abuse of the npm registry as a CDN for an unrelated proxy site, (b) demonstrated typosquat-name-squatting intent across 10 sibling names, and (c) a popunder ad redirect served from the cover page. Routing to human review for unpublish/registry-abuse handling rather than blocking as an installer-side supply-chain attack. ## Source: ghsa-malware (4d4e8d9ac34f216a40963cee037e04848fdf6b5da7287ffaa052be981667b130) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
Decision reason
OpenSSF Malicious Packages via OSV confirms ratelimitsucks@1.1.7 as malicious (MAL-2026-6135): Malicious code in ratelimitsucks (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory