registry  /  sixseven7  /  1.7.7

sixseven7@1.7.7

OSV Malicious Advisory

scanned 3h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10379 confirms this npm version as malicious. The package declares no install/postinstall/preinstall lifecycle scripts, and its declared `main` is `sw.js` — a browser ServiceWorker that uses `importScripts`, `self.addEventListener('install'|'fetch'|'activate')`, and `self.clients.claim()`...

Advisory
MAL-2026-10379
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in sixseven7 (npm)
Details
The package declares no install/postinstall/preinstall lifecycle scripts, and its declared `main` is `sw.js` — a browser ServiceWorker that uses `importScripts`, `self.addEventListener('install'|'fetch'|'activate')`, and `self.clients.claim()`. Loading it in Node via `require()` would throw on the browser-only globals before any code ran, so installing this package does not execute any of the bundled assets on a developer's machine. The tarball ships a static 'web unblocker' proxy site (HTML masquerading as 'Riverbend Tutoring' that injects a popunder to https://abdct.com on user click, plus the ServiceWorker that proxies cross-origin fetches and rewrites HTML), along with multiple heavily obfuscated JS bundles under `assets/` (e.g. `assets/3oruu3por5.js`, `assets/blhj60cfaf.js`, etc.) consistent with that proxy site rather than with a Node library. A bundled `auto-publish.sh` enumerates a sequential family of package names (`sixseven1`..`sixseven10`), indicating this publish is part of a name-squat batch on the npm registry. Risk to anyone running `npm install sixseven9` is limited to disk usage and registry pollution; the obfuscated assets and ad popunder only affect end users of a hypothetical site that deploys this code, not developers who install the package. Routing to human review so the registry can decide whether to remove the squat batch. ## Source: ghsa-malware (c6bf675d8acba4a22fa8f6bc4d20498e75ef22e771864c05e5b1dee45f61d7be) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
Decision reason
OpenSSF Malicious Packages via OSV confirms sixseven7@1.7.7 as malicious (MAL-2026-10379): Malicious code in sixseven7 (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory