npm · Malicious package advisory
Malwaretimmytuffknuckles9
MAL-2026-10390
Malicious code in timmytuffknuckles9 (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (342d7a44db99769023685647376a6042d5a9b345c281826484c9d88561f245ca)
Package is not a Node library — `package.json` declares `main: sw.js`, a browser Service Worker whose first line calls `importScripts('./8cfc2/hgshm.js')`. `importScripts` is undefined in Node, so `require('timmytuffknuckles9')` throws immediately. No `preinstall`, `install`, `postinstall`, or `prepare` lifecycle scripts are declared, so `npm install` does not execute any package code. The tarball contains a bundled web app (a Lucide-style web proxy/unblocker) with heavily obfuscated JS assets and a popup ad redirect to `abdct.com`, but those run only inside a browser that loads the Service Worker — not on the developer's machine. Separately, the tarball ships `auto-publish.sh`, a helper that rewrites `package.json.name` in a loop to `timmytuffknuckles1` through `timmytuffknuckles10` and runs `npm publish` for each, evidence that the publisher is using npm as a hosting/CDN-style namespace and mass-publishing near-duplicate package names. This script is not wired to any lifecycle hook and does not run on install. Routing to human review for registry-hygiene assessment (off-purpose use of npm + namespace spam + heavily obfuscated bundled assets) rather than installer-harm.
## Source: ghsa-malware (494c159c67f9b2488892ee0098bf3e008466c212b13b48e132afa7e0ab6b8045)
Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
Compromised versions (2)
- 1.1.7
- 2.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.