registry  /  speed4  /  1.1.7

speed4@1.1.7

OSV Malicious Advisory

scanned 13d ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-5938 confirms this npm version as malicious. speed4@1.1.7 is part of a self-cloning namespace-squatting family. The tarball contains `auto-publish.sh` which sets `BASE="speed"`, `TOTAL=5`, copies the package contents into `tmp_speedN` directories, rewrites `package.json.name` to `speed1`..`speed5`, and runs `npm publish --silent` for each variant...

Advisory
MAL-2026-5938
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in speed4 (npm)
Details
speed4@1.1.7 is part of a self-cloning namespace-squatting family. The tarball contains `auto-publish.sh` which sets `BASE="speed"`, `TOTAL=5`, copies the package contents into `tmp_speedN` directories, rewrites `package.json.name` to `speed1`..`speed5`, and runs `npm publish --silent` for each variant. Nested leftover directories `tmp_speed3/tmp_speed2/tmp_speed1/` shipped inside the tarball confirm the script has been executed at least three times and that all five `speedN` packages distribute identical content. Package metadata is consistent with a squat: generic short name, `"description": "package"`, empty `author` field. The served content is a deceptive HTML page (`index.html`) that advertises a 'Riverbend Tutoring' brand while registering first-gesture click/keydown/touchstart handlers that call `window.open('https://abdct.com/', '_blank', 'noreferrer')` to redirect visitors to an unrelated third-party domain. The tarball additionally bundles a dozen heavily obfuscated JavaScript assets under `assets/` (hex-identifier renamed, single-line minified) duplicated across the nested clone directories. Installing or pulling this package into a build hands the consumer an attacker-controlled deceptive payload bundled under multiple confusable short names on the registry. ## Source: ghsa-malware (b74f9d6ce8c8d20fb97057cf47b536c0939d9d56e2bafe7162fdc15cd4ceb82e) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
Decision reason
OpenSSF Malicious Packages via OSV confirms speed4@1.1.7 as malicious (MAL-2026-5938): Malicious code in speed4 (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory