registry  /  timmytuffknuckles9  /  1.1.7

timmytuffknuckles9@1.1.7

OSV Malicious Advisory

scanned 3h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10390 confirms this npm version as malicious. Package is not a Node library — `package.json` declares `main: sw.js`, a browser Service Worker whose first line calls `importScripts('./8cfc2/hgshm.js')`. `importScripts` is undefined in Node, so `require('timmytuffknuckles9')` throws immediately. No `preinstall`, `install`, `postinstall`, or `prepare` lifecycle scripts are declared, so `npm install` does not execute any package code...

Advisory
MAL-2026-10390
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in timmytuffknuckles9 (npm)
Details
Package is not a Node library — `package.json` declares `main: sw.js`, a browser Service Worker whose first line calls `importScripts('./8cfc2/hgshm.js')`. `importScripts` is undefined in Node, so `require('timmytuffknuckles9')` throws immediately. No `preinstall`, `install`, `postinstall`, or `prepare` lifecycle scripts are declared, so `npm install` does not execute any package code. The tarball contains a bundled web app (a Lucide-style web proxy/unblocker) with heavily obfuscated JS assets and a popup ad redirect to `abdct.com`, but those run only inside a browser that loads the Service Worker — not on the developer's machine. Separately, the tarball ships `auto-publish.sh`, a helper that rewrites `package.json.name` in a loop to `timmytuffknuckles1` through `timmytuffknuckles10` and runs `npm publish` for each, evidence that the publisher is using npm as a hosting/CDN-style namespace and mass-publishing near-duplicate package names. This script is not wired to any lifecycle hook and does not run on install. Routing to human review for registry-hygiene assessment (off-purpose use of npm + namespace spam + heavily obfuscated bundled assets) rather than installer-harm. ## Source: ghsa-malware (494c159c67f9b2488892ee0098bf3e008466c212b13b48e132afa7e0ab6b8045) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
Decision reason
OpenSSF Malicious Packages via OSV confirms timmytuffknuckles9@1.1.7 as malicious (MAL-2026-10390): Malicious code in timmytuffknuckles9 (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory